Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2luY2lkZW50cy97fQ==/2022-06-01-preview.xml

<?xml version='1.0' encoding='utf-8'?> <CodeGen plane="mgmt-plane"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvaW5jaWRlbnRzL3tpbmNpZGVudElkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <commandGroup name="sentinel incident"> <command name="show" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvaW5jaWRlbnRzL3tpbmNpZGVudElkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.incidentId" options="incident-id name n" required="True" idPart="child_name_1"> <help short="Incident ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="Incidents_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}"> <request method="get"> <path> <param type="string" name="incidentId" arg="$Path.incidentId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/incidents/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop readOnly="True" type="object" name="additionalData"> <prop readOnly="True" type="array<string>" name="alertProductNames"> <item readOnly="True" type="string"/> </prop> <prop readOnly="True" type="integer32" name="alertsCount"/> <prop readOnly="True" type="integer32" name="bookmarksCount"/> <prop readOnly="True" type="integer32" name="commentsCount"/> <prop readOnly="True" type="string" name="providerIncidentUrl"/> <prop readOnly="True" type="array<string>" name="tactics"> <item readOnly="True" type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop readOnly="True" type="array<string>" name="techniques"> <item readOnly="True" type="string"/> </prop> </prop> <prop type="string" name="classification"> <enum> <item value=""BenignPositive""/> <item value=""FalsePositive""/> <item value=""TruePositive""/> <item value=""Undetermined""/> </enum> </prop> <prop type="string" name="classificationComment"/> <prop type="string" name="classificationReason"> <enum> <item value=""InaccurateData""/> <item value=""IncorrectAlertLogic""/> <item value=""SuspiciousActivity""/> <item value=""SuspiciousButExpected""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="dateTime" name="firstActivityTimeUtc"/> <prop readOnly="True" type="integer32" name="incidentNumber"/> <prop readOnly="True" type="string" name="incidentUrl"/> <prop type="array<object>" name="labels"> <item type="object"> <prop type="string" name="labelName" required="True"/> <prop readOnly="True" type="string" name="labelType"> <enum> <item value=""AutoAssigned""/> <item value=""User""/> </enum> </prop> </item> </prop> <prop type="dateTime" name="lastActivityTimeUtc"/> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="owner"> <prop type="string" name="assignedTo"/> <prop type="string" name="email"/> <prop type="uuid" name="objectId"/> <prop type="string" name="ownerType"> <enum> <item value=""Group""/> <item value=""Unknown""/> <item value=""User""/> </enum> </prop> <prop type="string" name="userPrincipalName"/> </prop> <prop type="string" name="providerIncidentId"/> <prop type="string" name="providerName"/> <prop readOnly="True" type="array<string>" name="relatedAnalyticRuleIds"> <item readOnly="True" type="string"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Active""/> <item value=""Closed""/> <item value=""New""/> </enum> </prop> <prop type="object" name="teamInformation"> <prop readOnly="True" type="string" name="description"/> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="string" name="primaryChannelUrl"/> <prop readOnly="True" type="dateTime" name="teamCreationTimeUtc"/> <prop readOnly="True" type="string" name="teamId"/> </prop> <prop type="string" name="title" required="True"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="delete" version="2022-06-01-preview" confirmation="Are you sure you want to perform this operation?"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvaW5jaWRlbnRzL3tpbmNpZGVudElkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.incidentId" options="incident-id name n" required="True" idPart="child_name_1"> <help short="Incident ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="Incidents_Delete"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}"> <request method="delete"> <path> <param type="string" name="incidentId" arg="$Path.incidentId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"/> <response statusCode="204"/> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> </command> <command name="create" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvaW5jaWRlbnRzL3tpbmNpZGVudElkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.incidentId" options="incident-id name n" required="True" idPart="child_name_1"> <help short="Incident ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="Incident"> <arg type="string" var="$incident.etag" options="etag" group="Incident"> <help short="Etag of the azure resource"/> </arg> </argGroup> <argGroup name="Properties"> <arg type="string" var="$incident.properties.classification" options="classification" group="Properties"> <help short="The reason the incident was closed"/> <enum> <item name="BenignPositive" value=""BenignPositive""/> <item name="FalsePositive" value=""FalsePositive""/> <item name="TruePositive" value=""TruePositive""/> <item name="Undetermined" value=""Undetermined""/> </enum> </arg> <arg type="string" var="$incident.properties.classificationComment" options="classification-comment" group="Properties"> <help short="Describes the reason the incident was closed"/> </arg> <arg type="string" var="$incident.properties.classificationReason" options="classification-reason" group="Properties"> <help short="The classification reason the incident was closed with"/> <enum> <item name="InaccurateData" value=""InaccurateData""/> <item name="IncorrectAlertLogic" value=""IncorrectAlertLogic""/> <item name="SuspiciousActivity" value=""SuspiciousActivity""/> <item name="SuspiciousButExpected" value=""SuspiciousButExpected""/> </enum> </arg> <arg type="string" var="$incident.properties.description" options="description" group="Properties"> <help short="The description of the incident"/> </arg> <arg type="dateTime" var="$incident.properties.firstActivityTimeUtc" options="first-activity-time-utc" group="Properties"> <help short="The time of the first activity in the incident"/> </arg> <arg type="array<object>" var="$incident.properties.labels" options="labels" group="Properties"> <help short="List of labels relevant to this incident"/> <item type="object"> <arg type="string" var="$incident.properties.labels[].labelName" options="label-name" required="True"> <help short="The name of the label"/> </arg> </item> </arg> <arg type="dateTime" var="$incident.properties.lastActivityTimeUtc" options="last-activity-time-utc" group="Properties"> <help short="The time of the last activity in the incident"/> </arg> <arg type="object" var="$incident.properties.owner" options="owner" group="Properties"> <help short="Describes a user that the incident is assigned to"/> <arg type="string" var="$incident.properties.owner.assignedTo" options="assigned-to"> <help short="The name of the user the incident is assigned to."/> </arg> <arg type="string" var="$incident.properties.owner.email" options="email"> <help short="The email of the user the incident is assigned to."/> </arg> <arg type="uuid" var="$incident.properties.owner.objectId" options="object-id"> <help short="The object id of the user the incident is assigned to."/> </arg> <arg type="string" var="$incident.properties.owner.ownerType" options="owner-type"> <help short="The type of the owner the incident is assigned to."/> <enum> <item name="Group" value=""Group""/> <item name="Unknown" value=""Unknown""/> <item name="User" value=""User""/> </enum> </arg> <arg type="string" var="$incident.properties.owner.userPrincipalName" options="user-principal-name"> <help short="The user principal name of the user the incident is assigned to."/> </arg> </arg> <arg type="string" var="$incident.properties.providerIncidentId" options="provider-incident-id" group="Properties"> <help short="The incident ID assigned by the incident provider"/> </arg> <arg type="string" var="$incident.properties.providerName" options="provider-name" group="Properties"> <help short="The name of the source provider that generated the incident"/> </arg> <arg type="string" var="$incident.properties.severity" options="severity" group="Properties"> <help short="The severity of the incident"/> <enum> <item name="High" value=""High""/> <item name="Informational" value=""Informational""/> <item name="Low" value=""Low""/> <item name="Medium" value=""Medium""/> </enum> </arg> <arg type="string" var="$incident.properties.status" options="status" group="Properties"> <help short="The status of the incident"/> <enum> <item name="Active" value=""Active""/> <item name="Closed" value=""Closed""/> <item name="New" value=""New""/> </enum> </arg> <arg type="string" var="$incident.properties.title" options="title" group="Properties"> <help short="The title of the incident"/> </arg> </argGroup> <operation operationId="Incidents_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}"> <request method="put"> <path> <param type="string" name="incidentId" arg="$Path.incidentId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> <body> <json> <schema type="object" name="incident" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$incident.etag"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="classification" arg="$incident.properties.classification"> <enum> <item value=""BenignPositive""/> <item value=""FalsePositive""/> <item value=""TruePositive""/> <item value=""Undetermined""/> </enum> </prop> <prop type="string" name="classificationComment" arg="$incident.properties.classificationComment"/> <prop type="string" name="classificationReason" arg="$incident.properties.classificationReason"> <enum> <item value=""InaccurateData""/> <item value=""IncorrectAlertLogic""/> <item value=""SuspiciousActivity""/> <item value=""SuspiciousButExpected""/> </enum> </prop> <prop type="string" name="description" arg="$incident.properties.description"/> <prop type="dateTime" name="firstActivityTimeUtc" arg="$incident.properties.firstActivityTimeUtc"/> <prop type="array<object>" name="labels" arg="$incident.properties.labels"> <item type="object"> <prop type="string" name="labelName" arg="$incident.properties.labels[].labelName" required="True"/> </item> </prop> <prop type="dateTime" name="lastActivityTimeUtc" arg="$incident.properties.lastActivityTimeUtc"/> <prop type="object" name="owner" arg="$incident.properties.owner"> <prop type="string" name="assignedTo" arg="$incident.properties.owner.assignedTo"/> <prop type="string" name="email" arg="$incident.properties.owner.email"/> <prop type="uuid" name="objectId" arg="$incident.properties.owner.objectId"/> <prop type="string" name="ownerType" arg="$incident.properties.owner.ownerType"> <enum> <item value=""Group""/> <item value=""Unknown""/> <item value=""User""/> </enum> </prop> <prop type="string" name="userPrincipalName" arg="$incident.properties.owner.userPrincipalName"/> </prop> <prop type="string" name="providerIncidentId" arg="$incident.properties.providerIncidentId"/> <prop type="string" name="providerName" arg="$incident.properties.providerName"/> <prop type="string" name="severity" arg="$incident.properties.severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" arg="$incident.properties.status" required="True"> <enum> <item value=""Active""/> <item value=""Closed""/> <item value=""New""/> </enum> </prop> <prop type="string" name="title" arg="$incident.properties.title" required="True"/> </prop> </schema> </json> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/incidents/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop readOnly="True" type="object" name="additionalData"> <prop readOnly="True" type="array<string>" name="alertProductNames"> <item readOnly="True" type="string"/> </prop> <prop readOnly="True" type="integer32" name="alertsCount"/> <prop readOnly="True" type="integer32" name="bookmarksCount"/> <prop readOnly="True" type="integer32" name="commentsCount"/> <prop readOnly="True" type="string" name="providerIncidentUrl"/> <prop readOnly="True" type="array<string>" name="tactics"> <item readOnly="True" type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop readOnly="True" type="array<string>" name="techniques"> <item readOnly="True" type="string"/> </prop> </prop> <prop type="string" name="classification"> <enum> <item value=""BenignPositive""/> <item value=""FalsePositive""/> <item value=""TruePositive""/> <item value=""Undetermined""/> </enum> </prop> <prop type="string" name="classificationComment"/> <prop type="string" name="classificationReason"> <enum> <item value=""InaccurateData""/> <item value=""IncorrectAlertLogic""/> <item value=""SuspiciousActivity""/> <item value=""SuspiciousButExpected""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="dateTime" name="firstActivityTimeUtc"/> <prop readOnly="True" type="integer32" name="incidentNumber"/> <prop readOnly="True" type="string" name="incidentUrl"/> <prop type="array<object>" name="labels"> <item type="object"> <prop type="string" name="labelName" required="True"/> <prop readOnly="True" type="string" name="labelType"> <enum> <item value=""AutoAssigned""/> <item value=""User""/> </enum> </prop> </item> </prop> <prop type="dateTime" name="lastActivityTimeUtc"/> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="owner"> <prop type="string" name="assignedTo"/> <prop type="string" name="email"/> <prop type="uuid" name="objectId"/> <prop type="string" name="ownerType"> <enum> <item value=""Group""/> <item value=""Unknown""/> <item value=""User""/> </enum> </prop> <prop type="string" name="userPrincipalName"/> </prop> <prop type="string" name="providerIncidentId"/> <prop type="string" name="providerName"/> <prop readOnly="True" type="array<string>" name="relatedAnalyticRuleIds"> <item readOnly="True" type="string"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Active""/> <item value=""Closed""/> <item value=""New""/> </enum> </prop> <prop type="object" name="teamInformation"> <prop readOnly="True" type="string" name="description"/> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="string" name="primaryChannelUrl"/> <prop readOnly="True" type="dateTime" name="teamCreationTimeUtc"/> <prop readOnly="True" type="string" name="teamId"/> </prop> <prop type="string" name="title" required="True"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="update" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/incidents/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvaW5jaWRlbnRzL3tpbmNpZGVudElkfQ==/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="string" var="$Path.incidentId" options="incident-id name n" required="True" idPart="child_name_1"> <help short="Incident ID"/> </arg> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="Incident"> <arg nullable="True" type="string" var="$incident.etag" options="etag" group="Incident"> <help short="Etag of the azure resource"/> </arg> </argGroup> <argGroup name="Properties"> <arg nullable="True" type="string" var="$incident.properties.classification" options="classification" group="Properties"> <help short="The reason the incident was closed"/> <enum> <item name="BenignPositive" value=""BenignPositive""/> <item name="FalsePositive" value=""FalsePositive""/> <item name="TruePositive" value=""TruePositive""/> <item name="Undetermined" value=""Undetermined""/> </enum> </arg> <arg nullable="True" type="string" var="$incident.properties.classificationComment" options="classification-comment" group="Properties"> <help short="Describes the reason the incident was closed"/> </arg> <arg nullable="True" type="string" var="$incident.properties.classificationReason" options="classification-reason" group="Properties"> <help short="The classification reason the incident was closed with"/> <enum> <item name="InaccurateData" value=""InaccurateData""/> <item name="IncorrectAlertLogic" value=""IncorrectAlertLogic""/> <item name="SuspiciousActivity" value=""SuspiciousActivity""/> <item name="SuspiciousButExpected" value=""SuspiciousButExpected""/> </enum> </arg> <arg nullable="True" type="string" var="$incident.properties.description" options="description" group="Properties"> <help short="The description of the incident"/> </arg> <arg nullable="True" type="dateTime" var="$incident.properties.firstActivityTimeUtc" options="first-activity-time-utc" group="Properties"> <help short="The time of the first activity in the incident"/> </arg> <arg nullable="True" type="array<object>" var="$incident.properties.labels" options="labels" group="Properties"> <help short="List of labels relevant to this incident"/> <item type="object"> <arg type="string" var="$incident.properties.labels[].labelName" options="label-name"> <help short="The name of the label"/> </arg> </item> </arg> <arg nullable="True" type="dateTime" var="$incident.properties.lastActivityTimeUtc" options="last-activity-time-utc" group="Properties"> <help short="The time of the last activity in the incident"/> </arg> <arg nullable="True" type="object" var="$incident.properties.owner" options="owner" group="Properties"> <help short="Describes a user that the incident is assigned to"/> <arg nullable="True" type="string" var="$incident.properties.owner.assignedTo" options="assigned-to"> <help short="The name of the user the incident is assigned to."/> </arg> <arg nullable="True" type="string" var="$incident.properties.owner.email" options="email"> <help short="The email of the user the incident is assigned to."/> </arg> <arg nullable="True" type="uuid" var="$incident.properties.owner.objectId" options="object-id"> <help short="The object id of the user the incident is assigned to."/> </arg> <arg nullable="True" type="string" var="$incident.properties.owner.ownerType" options="owner-type"> <help short="The type of the owner the incident is assigned to."/> <enum> <item name="Group" value=""Group""/> <item name="Unknown" value=""Unknown""/> <item name="User" value=""User""/> </enum> </arg> <arg nullable="True" type="string" var="$incident.properties.owner.userPrincipalName" options="user-principal-name"> <help short="The user principal name of the user the incident is assigned to."/> </arg> </arg> <arg nullable="True" type="string" var="$incident.properties.providerIncidentId" options="provider-incident-id" group="Properties"> <help short="The incident ID assigned by the incident provider"/> </arg> <arg nullable="True" type="string" var="$incident.properties.providerName" options="provider-name" group="Properties"> <help short="The name of the source provider that generated the incident"/> </arg> <arg type="string" var="$incident.properties.severity" options="severity" group="Properties"> <help short="The severity of the incident"/> <enum> <item name="High" value=""High""/> <item name="Informational" value=""Informational""/> <item name="Low" value=""Low""/> <item name="Medium" value=""Medium""/> </enum> </arg> <arg type="string" var="$incident.properties.status" options="status" group="Properties"> <help short="The status of the incident"/> <enum> <item name="Active" value=""Active""/> <item name="Closed" value=""Closed""/> <item name="New" value=""New""/> </enum> </arg> <arg type="string" var="$incident.properties.title" options="title" group="Properties"> <help short="The title of the incident"/> </arg> </argGroup> <operation operationId="Incidents_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}"> <request method="get"> <path> <param type="string" name="incidentId" arg="$Path.incidentId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object" cls="Incident_read"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/incidents/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop readOnly="True" type="object" name="additionalData"> <prop readOnly="True" type="array<string>" name="alertProductNames"> <item readOnly="True" type="string"/> </prop> <prop readOnly="True" type="integer32" name="alertsCount"/> <prop readOnly="True" type="integer32" name="bookmarksCount"/> <prop readOnly="True" type="integer32" name="commentsCount"/> <prop readOnly="True" type="string" name="providerIncidentUrl"/> <prop readOnly="True" type="array<string>" name="tactics"> <item readOnly="True" type="string"> <enum> <item value=""Collection""/> <item value=""CommandAndControl""/> <item value=""CredentialAccess""/> <item value=""DefenseEvasion""/> <item value=""Discovery""/> <item value=""Execution""/> <item value=""Exfiltration""/> <item value=""Impact""/> <item value=""ImpairProcessControl""/> <item value=""InhibitResponseFunction""/> <item value=""InitialAccess""/> <item value=""LateralMovement""/> <item value=""Persistence""/> <item value=""PreAttack""/> <item value=""PrivilegeEscalation""/> <item value=""Reconnaissance""/> <item value=""ResourceDevelopment""/> </enum> </item> </prop> <prop readOnly="True" type="array<string>" name="techniques"> <item readOnly="True" type="string"/> </prop> </prop> <prop type="string" name="classification"> <enum> <item value=""BenignPositive""/> <item value=""FalsePositive""/> <item value=""TruePositive""/> <item value=""Undetermined""/> </enum> </prop> <prop type="string" name="classificationComment"/> <prop type="string" name="classificationReason"> <enum> <item value=""InaccurateData""/> <item value=""IncorrectAlertLogic""/> <item value=""SuspiciousActivity""/> <item value=""SuspiciousButExpected""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="createdTimeUtc"/> <prop type="string" name="description"/> <prop type="dateTime" name="firstActivityTimeUtc"/> <prop readOnly="True" type="integer32" name="incidentNumber"/> <prop readOnly="True" type="string" name="incidentUrl"/> <prop type="array<object>" name="labels"> <item type="object"> <prop type="string" name="labelName" required="True"/> <prop readOnly="True" type="string" name="labelType"> <enum> <item value=""AutoAssigned""/> <item value=""User""/> </enum> </prop> </item> </prop> <prop type="dateTime" name="lastActivityTimeUtc"/> <prop readOnly="True" type="dateTime" name="lastModifiedTimeUtc"/> <prop type="object" name="owner"> <prop type="string" name="assignedTo"/> <prop type="string" name="email"/> <prop type="uuid" name="objectId"/> <prop type="string" name="ownerType"> <enum> <item value=""Group""/> <item value=""Unknown""/> <item value=""User""/> </enum> </prop> <prop type="string" name="userPrincipalName"/> </prop> <prop type="string" name="providerIncidentId"/> <prop type="string" name="providerName"/> <prop readOnly="True" type="array<string>" name="relatedAnalyticRuleIds"> <item readOnly="True" type="string"/> </prop> <prop type="string" name="severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" required="True"> <enum> <item value=""Active""/> <item value=""Closed""/> <item value=""New""/> </enum> </prop> <prop type="object" name="teamInformation"> <prop readOnly="True" type="string" name="description"/> <prop readOnly="True" type="string" name="name"/> <prop readOnly="True" type="string" name="primaryChannelUrl"/> <prop readOnly="True" type="dateTime" name="teamCreationTimeUtc"/> <prop readOnly="True" type="string" name="teamId"/> </prop> <prop type="string" name="title" required="True"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value=""Application""/> <item value=""Key""/> <item value=""ManagedIdentity""/> <item value=""User""/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <operation> <instanceUpdate instance="$Instance"> <json> <schema type="object" name="incident" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$incident.etag"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="classification" arg="$incident.properties.classification"> <enum> <item value=""BenignPositive""/> <item value=""FalsePositive""/> <item value=""TruePositive""/> <item value=""Undetermined""/> </enum> </prop> <prop type="string" name="classificationComment" arg="$incident.properties.classificationComment"/> <prop type="string" name="classificationReason" arg="$incident.properties.classificationReason"> <enum> <item value=""InaccurateData""/> <item value=""IncorrectAlertLogic""/> <item value=""SuspiciousActivity""/> <item value=""SuspiciousButExpected""/> </enum> </prop> <prop type="string" name="description" arg="$incident.properties.description"/> <prop type="dateTime" name="firstActivityTimeUtc" arg="$incident.properties.firstActivityTimeUtc"/> <prop type="array<object>" name="labels" arg="$incident.properties.labels"> <item type="object"> <prop type="string" name="labelName" arg="$incident.properties.labels[].labelName" required="True"/> </item> </prop> <prop type="dateTime" name="lastActivityTimeUtc" arg="$incident.properties.lastActivityTimeUtc"/> <prop type="object" name="owner" arg="$incident.properties.owner"> <prop type="string" name="assignedTo" arg="$incident.properties.owner.assignedTo"/> <prop type="string" name="email" arg="$incident.properties.owner.email"/> <prop type="uuid" name="objectId" arg="$incident.properties.owner.objectId"/> <prop type="string" name="ownerType" arg="$incident.properties.owner.ownerType"> <enum> <item value=""Group""/> <item value=""Unknown""/> <item value=""User""/> </enum> </prop> <prop type="string" name="userPrincipalName" arg="$incident.properties.owner.userPrincipalName"/> </prop> <prop type="string" name="providerIncidentId" arg="$incident.properties.providerIncidentId"/> <prop type="string" name="providerName" arg="$incident.properties.providerName"/> <prop type="string" name="severity" arg="$incident.properties.severity" required="True"> <enum> <item value=""High""/> <item value=""Informational""/> <item value=""Low""/> <item value=""Medium""/> </enum> </prop> <prop type="string" name="status" arg="$incident.properties.status" required="True"> <enum> <item value=""Active""/> <item value=""Closed""/> <item value=""New""/> </enum> </prop> <prop type="string" name="title" arg="$incident.properties.title" required="True"/> </prop> </schema> </json> </instanceUpdate> </operation> <operation operationId="Incidents_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}"> <request method="put"> <path> <param type="string" name="incidentId" arg="$Path.incidentId" required="True"/> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value=""2022-06-01-preview""/> <format minLength="1"/> </const> </query> <body> <json ref="$Instance"/> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="@Incident_read"/> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> </commandGroup> </CodeGen>

Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL2luY2lkZW50cy97fQ==/2022-06-01-preview.xml (999 lines of code) (raw):