Azure.ResourceManager.SecurityInsights.Models Namespace

Represents AADIP (Azure Active Directory Identity Protection) requirements check request.

Represents AATP (Azure Advanced Threat Protection) requirements check request.

Represents Activity entity query.

Represents Activity entity query.

The Activity query definitions.

Represents Activity entity query.

Represents Activity timeline item.

The AddIncidentTaskActionProperties.

alert rule template data sources.

Analytics Rule Run Trigger request.

Represents Anomaly Security ML Analytics Settings.

Represents anomaly timeline item.

Model factory for models.

Represents ASC (Azure Security Center) requirements check request.

Describes an automation rule action to add a task to an incident.

The AutomationRuleBooleanCondition.

Describes an automation rule action to modify an object's properties.

The AutomationRulePropertyArrayChangedValuesCondition.

The AutomationRulePropertyArrayValuesCondition.

The AutomationRulePropertyValuesChangedCondition.

The AutomationRulePropertyValuesCondition.

Describes an automation rule action to run a playbook.

The AutomationRuleRunPlaybookActionProperties.

Model for API authentication with AWS.

Amazon Web Services CloudTrail requirements check request.

Amazon Web Services S3 requirements check request.

Represents Amazon Web Services S3 data connector.

Resources created in Azure DevOps repository.

Model for API authentication with basic flow - user name + password.

Expansion result connected entities.

Describes the entity mappings of a single entity.

The parameters required to execute an expand operation on the given bookmark.

The expansion result values.

The entity expansion result operation response.

Represents bookmark timeline item.

Describes an automation rule condition that applies a boolean operator (e.g AND, OR) to conditions.

Base Model for API authentication. Please note CcpAuthConfig is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include SecurityInsightsApiKeyAuthModel, AwsAuthModel, BasicAuthModel, GcpAuthModel, GitHubAuthModel, JwtAuthModel, NoneAuthModel, OAuthModel, OracleAuthModel, GenericBlobSbsAuthModel and SessionAuthModel.

A custom response configuration for a rule.

Represents Codeless API Polling data connector.

Describe the authentication properties needed to successfully authenticate with the server.

Config to describe the polling config for API poller connector.

Describe the properties needed to make a pagination call.

Describe the request properties needed to successfully pull from the server.

Describes the response from the external server.

Config to describe the instructions blade.

Represents Codeless UI data connector.

Connector Availability Status.

Setting for the connector check connectivity.

The criteria by which we determine whether the connector is connected or not. For Example, use a KQL query to check if the expected data type is flowing).

Customs permissions required for the connector.

Customs permissions required for the connector.

The data type which is created by the connector, including a query indicated when was the last time that data type was received in the workspace.

The exposure status of the connector to the customers.

The required Permissions for the connector.

The resource provider details include the required permissions for the user to create connections. The user should have the required permissions(Read\Write, ..) in the specified scope ProviderPermissionsScope against the specified resource provider.

The graph query to show the current data status.

The graph query to show the volume of data arriving into the workspace over time.

Instruction step details.

Permissions required for the connector.

Required permissions for the connector.

Resource provider permissions required for the connector.

Required permissions for the connector resource provider that define in ResourceProviders. For more information about the permissions see <see href="https://docs.microsoft.com/en-us/azure/role-based-access-control/role-definitions#actions-format">here</see>.

The UiConfig for 'Customizable' connector definition kind.

Connector definition for kind 'Customizable'.

The UiConfig for 'Customizable' connector definition kind.

The Custom permissions required for the connector.

Represents Codeless API Polling data connector.

Common field for data type in data connectors.

Data connector requirements status.

Data connector requirements properties. Please note DataConnectorsCheckRequirements is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include AwsCloudTrailCheckRequirements, AwsS3CheckRequirements, AadCheckRequirements, AatpCheckRequirements, AscCheckRequirements, Dynamics365CheckRequirements, IotCheckRequirements, McasCheckRequirements, MdatpCheckRequirements, MicrosoftPurviewInformationProtectionCheckRequirements, MstiCheckRequirements, MtpCheckRequirements, Office365ProjectCheckRequirements, OfficeAtpCheckRequirements, OfficeIrmCheckRequirements, OfficePowerBICheckRequirements, ThreatIntelligenceCheckRequirements and ThreatIntelligenceTaxiiCheckRequirements.

The data type definition.

The configuration of the destination of the data.

Represents Dynamics365 requirements check request.

Represents Dynamics365 data connector.

Domain name to be enriched.

Whois information for a given domain and associated metadata.

An individual contact associated with this domain.

The set of contacts associated with this domain.

The whois record for a given domain.

The registrar associated with this domain.

IP address (v4 or v6) to be enriched.

Geodata information for a given IP address.

Settings with single toggle.

The edge that connects the entity to the other entity.

The parameters required to execute an expand operation on the given entity.

The expansion result values.

The entity expansion result operation response.

Map identifiers of a single entity.

The parameters required to execute insights operation on the given entity.

Entity insight Item.

The Time interval that the query actually executed on.

Describes the request body for triggering a playbook on an entity.

An abstract Query item for entity Please note EntityQueryItem is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include InsightQueryItem.

An properties abstract Query item for entity.

The EntityQueryItemPropertiesDataTypesItem.

The parameters required to execute s timeline operation on the given entity.

Entity timeline Item. Please note EntityTimelineItem is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include ActivityTimelineItem, AnomalyTimelineItem, BookmarkTimelineItem and SecurityAlertTimelineItem.

Represents Expansion entity query.

Information of a specific aggregation in the expansion result.

Represents a Fusion scenario exclusion patterns in Fusion detection.

Represents a supported source signal configuration in Fusion detection.

Represents a supported source subtype configuration under a source signal in Fusion detection.

Represents severity configuration for a source subtype consumed in Fusion detection.

Represents a Severity filter setting for a given source subtype consumed in Fusion detection.

Represents a source signal consumed in Fusion detection.

Represents a source subtype under a source signal consumed in Fusion detection.

Represents severity configurations available for a source subtype consumed in Fusion detection.

Model for API authentication for all GCP kind connectors.

Google Cloud Platform auth section properties.

Represents Google Cloud Platform data connector.

Google Cloud Platform request section properties.

Model for API authentication for working with service bus or storage account.

Model for API authentication for GitHub. For this authentication first we need to approve the Router app (Microsoft Security DevOps) to access the GitHub account, Then we only need the InstallationId to get the access token from https://api.github.com/app/installations/{installId}/access_tokens.

An observable of this indicator.

Represents Insight Query.

Represents Insight Query.

The activity query definitions.

The insight chart query.

The insight table query.

The InsightQueryItemPropertiesTableQueryColumnsDefinitionsItem.

The InsightQueryItemPropertiesTableQueryQueriesDefinitionsItem.

The InsightQueryItemPropertiesTableQueryQueriesDefinitionsPropertiesItemsItem.

Query results for table insights query.

The InsightsTableResultColumnsItem.

Instruction steps to enable the connector.

Instruction step details, to be displayed in the Instructions steps section in the connector's page in Sentinel Portal.

Instruction steps to enable the connector.

Represents IoT requirements check request.

Represents IoT data connector.

An entity describing the publish status of a content item.

Model for API authentication with JWT. Simple exchange between user name + password to access token.

Data type for last data received.

The ManualTriggerRequestBody.

Represents MCAS (Microsoft Cloud App Security) requirements check request.

Represents MCAS (Microsoft Cloud App Security) data connector.

The available data types for MCAS (Microsoft Cloud App Security) data connector.

Represents MDATP (Microsoft Defender Advanced Threat Protection) requirements check request.

Represents MDATP (Microsoft Defender Advanced Threat Protection) data connector.

Represents MicrosoftPurviewInformationProtection requirements check request.

Represents Microsoft Purview Information Protection data connector.

Represents MicrosoftSecurityIncidentCreation rule.

Represents MicrosoftSecurityIncidentCreation rule template.

Represents MLBehaviorAnalytics alert rule.

Represents MLBehaviorAnalytics alert rule template.

Represents Microsoft Threat Intelligence requirements check request.

Represents Microsoft Threat Intelligence data connector.

Represents MTP (Microsoft Threat Protection) requirements check request.

Represents MTP (Microsoft Threat Protection) data connector.

Represents an network interface entity.

Model for API authentication with no authentication method - public API.

Represents NRT alert rule.

Represents NRT alert rule template.

Model for API authentication with OAuth2.

Represents Office365 Project requirements check request.

Represents Office Microsoft Project data connector.

Represents OfficeATP (Office 365 Advanced Threat Protection) requirements check request.

Represents OfficeATP (Office 365 Advanced Threat Protection) data connector.

Represents OfficeIRM (Microsoft Insider Risk Management) requirements check request.

Represents OfficeIRM (Microsoft Insider Risk Management) data connector.

Represents Office PowerBI requirements check request.

Represents Office Microsoft PowerBI data connector.

Model for API authentication for Oracle.

Describes an automation rule condition that evaluates an array property's value.

The error description for why a publication failed.

Information regarding pull request for protected branches.

What suggestions should be taken to complete the recommendation.

Reevaluate response object.

An object used to help follow relationships from this object to other STIX objects.

Credentials to access repository.

Credentials to access repository.

Resources created in user's repository for the source-control.

Represents Rest Api Poller data connector.

The request configuration.

The request paging configuration.

Billing statistic about the Microsoft Sentinel solution for SAP Usage.

Represents scheduled alert rule template.

Represents security alert timeline item.

Represents AADIP (Azure Active Directory Identity Protection) data connector.

Represents AATP (Azure Advanced Threat Protection) data connector.

Represents an account entity.

Represents a security alert entity.

confidence reason item.

Settings for how to dynamically override alert static details.

A single alert property mapping to override.

Action for alert rule.

Single entity mapping for the alert rule.

Alerts data type for data connectors.

Model for authentication with the API Key. Will result in additional header on the request (default behavior) to the remote server: 'ApiKeyName: ApiKeyIdentifier ApiKey'. If 'IsApiKeyInPostPayload' is true it will send it in the body of the request and not the header.

Represents ASC (Azure Security Center) data connector.

Describes an automation rule action. Please note SecurityInsightsAutomationRuleAction is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include AutomationRuleAddIncidentTaskAction, AutomationRuleModifyPropertiesAction and AutomationRuleRunPlaybookAction.

Describes an automation rule condition. Please note SecurityInsightsAutomationRuleCondition is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include BooleanConditionProperties, SecurityInsightsPropertyConditionProperties, PropertyArrayConditionProperties, SecurityInsightsPropertyArrayChangedConditionProperties and SecurityInsightsPropertyChangedConditionProperties.

Describes automation rule triggering logic.

Represents Amazon Web Services CloudTrail data connector.

Represents an azure resource entity.

Describes related incident information for the bookmark.

Information on the client (user or application) that made some action.

Represents a cloud application entity.

Represents a dns entity.

A class representing the SecurityInsightsEntity data model. Specific entity. Please note SecurityInsightsEntity is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include SecurityInsightsAccountEntity, SecurityInsightsAzureResourceEntity, SecurityInsightsHuntingBookmark, SecurityInsightsCloudApplicationEntity, SecurityInsightsDnsEntity, SecurityInsightsFileEntity, SecurityInsightsFileHashEntity, SecurityInsightsHostEntity, SecurityInsightsIotDeviceEntity, SecurityInsightsIPEntity, SecurityInsightsMailboxEntity, SecurityInsightsMailClusterEntity, SecurityInsightsMailMessageEntity, SecurityInsightsMalwareEntity, NicEntity, SecurityInsightsProcessEntity, SecurityInsightsRegistryKeyEntity, SecurityInsightsRegistryValueEntity, SecurityInsightsAlert, SecurityInsightsGroupEntity, SecurityInsightsSubmissionMailEntity and SecurityInsightsUriEntity.

Specific entity query that supports put requests. Please note SecurityInsightsEntityQueryCreateOrUpdateContent is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include ActivityCustomEntityQuery.

Settings with single toggle.

A single field mapping of the mapped entity.

Represents a file entity.

Represents a file hash entity.

Represents a file.

Describes an error encountered in the file during validation.

Represents Fusion alert rule.

Represents Fusion alert rule template.

Represents a security group entity.

Grouping configuration property bag.

Represents a host entity.

Represents a Hunting bookmark entity.

Describes a user that the hunt is assigned to.

The SecurityInsightsIncidentActionConfiguration.

Incident additional data property bag.

Incident Configuration property bag.

Information of a specific aggregation in the incident related entities result.

The incident related entities response.

Represents an incident label.

Information on the user an incident is assigned to.

Represents an IoT device entity.

Represents an ip entity.

The geo-location context attached to the ip entity.

Represents a mailbox entity.

Represents a mail cluster entity.

Represents a mail message entity.

Represents a malware entity.

Publisher or creator of the content item.

ies for the solution content item.

Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.

Metadata patch request body.

The original source of the content item, where it comes from.

Support information for the content item.

Represents office data connector.

The available data types for office data connector.

The SecurityInsightsPackageCollectionGetAllOptions.

Represents a process entity.

The SecurityInsightsProductTemplateCollectionGetAllOptions.

Describes an automation rule condition that evaluates an array property's value change.

Describes an automation rule condition that evaluates a property's value change.

Describes an automation rule condition that evaluates a property's value.

Recommendation Fields to update.

Represents a registry key entity.

Represents a registry value entity.

Represents scheduled alert rule.

Settings with single toggle.

Represents a submission mail entity.

The SecurityInsightsTemplateCollectionGetAllOptions.

ThreatIntelligence property bag.

Threat intelligence indicator entity.

Represents threat intelligence data connector.

Represents a url entity.

User information that made some action.

security ml analytics settings data sources.

A single sentinel entity mapping.

Model for API authentication with session cookie.

Description about a deployment.

Information regarding a deployment.

Warning response structure.

Warning details.

Represents a repository.

metadata of a repository.

The sample queries for the connector.

Service principal metadata.

Detail about the webhook object.

Describes team information.

Template property bag.

Template property bag.

Represents Threat Intelligence alert rule.

Represents Threat Intelligence alert rule template.

Array of tags to be appended to the threat intelligence indicator.

Represents an attack pattern in Azure Security Insights.

Threat Intelligence Platforms data connector check requirements.

Count of all the threat intelligence objects on the workspace that match the provided query.

Represents a query to run on the TI objects in the workspace.

Describes external reference.

Filtering criteria for querying threat intelligence indicators.

Describes threat granular marking model entity.

Represents an identity in Azure Security Insights.

Represents an indicator in Azure Security Insights.

Describes threat kill chain phase entity.

Describes threat intelligence metric.

Describes threat intelligence metric entity.

Threat intelligence metrics.

Represents a threat intelligence object in Azure Security Insights. Please note ThreatIntelligenceObject is the base class. According to the scenario, a derived class of the base class might need to be assigned here, or this property needs to be casted to one of the possible derived classes. The available derived classes include ThreatIntelligenceAttackPattern, ThreatIntelligenceIdentity, ThreatIntelligenceIndicator, ThreatIntelligenceRelationship and ThreatIntelligenceThreatActor.

Describes parsed pattern entity.

Describes threat kill chain phase entity.

Represents a query to run on the TI objects in the workspace.

Represents a condition used to query for TI objects.

Represents a single clause to be evaluated by a NormalizedCondition.

Represents a condition used to query for TI objects.

Specifies how to sort the query results.

Represents a relationship in Azure Security Insights.

List of available columns for sorting.

Threat Intelligence TAXII data connector check requirements.

Data connector to pull Threat intelligence data from TAXII 2.0/2.1 server.

Represents a threat actor in Azure Security Insights.

Data about a user or client application.

Settings with single toggle.

Geodata information for a given IP address.

An entity describing a content item.

The anomaly SecurityMLAnalyticsSettings status.

The directionality of this mail message.

The AutomationRuleBooleanConditionSupportedOperator.

The AutomationRulePropertyArrayChangedConditionSupportedArrayType.

The AutomationRulePropertyArrayChangedConditionSupportedChangeType.

The AutomationRulePropertyArrayConditionSupportedArrayConditionType.

The AutomationRulePropertyArrayConditionSupportedArrayType.

The AutomationRulePropertyChangedConditionSupportedChangedType.

The AutomationRulePropertyChangedConditionSupportedPropertyType.

The AutomationRulePropertyConditionSupportedOperator.

The property to evaluate in an automation rule property condition.

The authentication kind used to poll the data.

The connector Availability Status.

type of connectivity.

The HTTP method, default value GET.

Provider name.

The kind of the setting.

Describes the state of user's authorization for a connector kind.

Describes the state of user's license for a connector kind.

Device importance, determines if the device classified as 'crown jewel'.

The EnrichmentType.

The EntityItemQueryKind.

The entity provider that is synced.

The EntityQueryKind.

The EntityTemplateQueryKind.

The entity query kind.

The event grouping aggregation kinds.

The status of the hunt.

The hypothesis status of the hunt.

The IncidentTaskStatus.

Describes how to ingest the records in the file.

Insights Column type.

The alerts' productName on which the cases will be generated.

The available data providers.

Permission provider scope.

The polling frequency for the TAXII server.

The scope on which the user should have permissions, in order to be able to create connections.

Status of the item publication.

State of recommendation.

The kind of repository access credentials.

Type of paging.

The confidence level of this alert.

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

Alert detail.

The V3 alert property.

The V3 type of the mapped entity.

The alert rule template status.

The severity of the alert.

The lifecycle status of the alert.

The severity for alerts created by this alert rule.

Describe whether this data type connection is enabled or not.

The kind of the entity.

The type of the entity.

Indicates whether the file was deleted from the storage account.

The format of the file.

The hash algorithm type.

The content type of this file.

The state of the file import.

Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty.

The reason the incident was closed.

The classification reason the incident was closed with.

The type of the label.

The type of the owner the hunt is assigned to.

The severity of the incident.

The status of the incident.

The intent of the alert.

The kind of content the metadata is for.

The boolean value the metadata is for.

The package kind.

the hive that holds the registry key.

Specifies the data types to use when storing values in the registry, or identifies the data type of a value in the registry.

Source type of the content.

Type of support for content item.

The source of the watchlist.

The content type of a source control path.

Status while trying to fetch the deployment information.

Status while trying to fetch the deployment information.

The current state of the deployment.

The type of repository.

The type of repository.

The version of the source control.

Represents boolean connectives used to join clauses in conditions.

Represents an operator in a ConditionClause.

The direction to sort the results by.

Sorting order (ascending/descending/unsorted).

The ThreatIntelligenceType.

The triggered analytics rule run provisioning state.

The TriggersOn.

The TriggersWhen.

The data source that enriched by ueba.

The sourceType of the watchlist.

The current mode of the workspace manager configuration.

The operation against the threshold that triggers alert rule.

The operating system type.

The delivery action of this mail message like Delivered, Blocked, Replaced etc.

The delivery location of this mail message like Inbox, JunkFolder etc.

The elevation token associated with the process.