Resources/mgmt-plane/L3N1YnNjcmlwdGlvbnMve30vcmVzb3VyY2Vncm91cHMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5vcGVyYXRpb25hbGluc2lnaHRzL3dvcmtzcGFjZXMve30vcHJvdmlkZXJzL21pY3Jvc29mdC5zZWN1cml0eWluc2lnaHRzL3dhdGNobGlzdHMve30=/2022-06-01-preview.xml (676 lines of code) (raw):

<?xml version='1.0' encoding='utf-8'?> <CodeGen plane="mgmt-plane"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvd2F0Y2hsaXN0cy97d2F0Y2hsaXN0QWxpYXN9/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <commandGroup name="sentinel watchlist"> <command name="show" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvd2F0Y2hsaXN0cy97d2F0Y2hsaXN0QWxpYXN9/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.watchlistAlias" options="watchlist-alias name n" required="True" idPart="child_name_1"> <help short="Watchlist Alias"/> </arg> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="Watchlists_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}"> <request method="get"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="watchlistAlias" arg="$Path.watchlistAlias" required="True"/> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value="&quot;2022-06-01-preview&quot;"/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/watchlists/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="contentType"/> <prop type="dateTime" name="created"/> <prop type="object" name="createdBy" cls="UserInfo_read"> <prop readOnly="True" type="string" name="email"/> <prop readOnly="True" type="string" name="name"/> <prop nullable="True" type="uuid" name="objectId"/> </prop> <prop type="duration" name="defaultDuration"/> <prop type="string" name="description"/> <prop type="string" name="displayName" required="True"/> <prop type="boolean" name="isDeleted"/> <prop type="string" name="itemsSearchKey" required="True"/> <prop type="array<string>" name="labels"> <item type="string"/> </prop> <prop type="integer32" name="numberOfLinesToSkip"/> <prop type="string" name="provider" required="True"/> <prop type="string" name="rawContent"/> <prop type="string" name="source"/> <prop type="string" name="sourceType"> <enum> <item value="&quot;Local file&quot;"/> <item value="&quot;Remote storage&quot;"/> </enum> </prop> <prop type="string" name="tenantId"/> <prop type="dateTime" name="updated"/> <prop type="@UserInfo_read" name="updatedBy"/> <prop type="string" name="uploadStatus"/> <prop type="string" name="watchlistAlias"/> <prop type="string" name="watchlistId"/> <prop type="string" name="watchlistType"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="delete" version="2022-06-01-preview" confirmation="Are you sure you want to perform this operation?"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvd2F0Y2hsaXN0cy97d2F0Y2hsaXN0QWxpYXN9/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.watchlistAlias" options="watchlist-alias name n" required="True" idPart="child_name_1"> <help short="Watchlist Alias"/> </arg> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <operation operationId="Watchlists_Delete"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}"> <request method="delete"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="watchlistAlias" arg="$Path.watchlistAlias" required="True"/> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value="&quot;2022-06-01-preview&quot;"/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <header> <item name="Azure-AsyncOperation"/> </header> </response> <response statusCode="204"/> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> </command> <command name="create" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvd2F0Y2hsaXN0cy97d2F0Y2hsaXN0QWxpYXN9/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.watchlistAlias" options="watchlist-alias name n" required="True" idPart="child_name_1"> <help short="Watchlist Alias"/> </arg> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="Properties"> <arg type="string" var="$watchlist.properties.contentType" options="content-type" group="Properties"> <help short="The content type of the raw content. Example : text/csv or text/tsv "/> </arg> <arg type="dateTime" var="$watchlist.properties.created" options="created" group="Properties"> <help short="The time the watchlist was created"/> </arg> <arg type="object" var="$watchlist.properties.createdBy" options="created-by" group="Properties" cls="UserInfo_create"> <help short="Describes a user that created the watchlist"/> <arg nullable="True" type="uuid" var="@UserInfo_create.objectId" options="object-id"> <help short="The object id of the user."/> </arg> </arg> <arg type="duration" var="$watchlist.properties.defaultDuration" options="default-duration" group="Properties"> <help short="The default duration of a watchlist (in ISO 8601 duration format)"/> </arg> <arg type="string" var="$watchlist.properties.description" options="description" group="Properties"> <help short="A description of the watchlist"/> </arg> <arg type="string" var="$watchlist.properties.displayName" options="display-name" group="Properties"> <help short="The display name of the watchlist"/> </arg> <arg type="boolean" var="$watchlist.properties.isDeleted" options="is-deleted" group="Properties"> <help short="A flag that indicates if the watchlist is deleted or not"/> </arg> <arg type="string" var="$watchlist.properties.itemsSearchKey" options="items-search-key" group="Properties"> <help short="The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address."/> </arg> <arg type="array<string>" var="$watchlist.properties.labels" options="labels" group="Properties"> <help short="List of labels relevant to this watchlist"/> <item type="string"/> </arg> <arg type="integer32" var="$watchlist.properties.numberOfLinesToSkip" options="skip-num" group="Properties"> <help short="The number of lines in a csv/tsv content to skip before the header"/> </arg> <arg type="string" var="$watchlist.properties.provider" options="provider" group="Properties"> <help short="The provider of the watchlist"/> </arg> <arg type="string" var="$watchlist.properties.rawContent" options="raw-content" group="Properties"> <help short="The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint"/> </arg> <arg type="string" var="$watchlist.properties.source" options="source" group="Properties"> <help short="The filename of the watchlist, called 'source'"/> </arg> <arg type="string" var="$watchlist.properties.sourceType" options="source-type" group="Properties"> <help short="The sourceType of the watchlist"/> <enum> <item name="Local file" value="&quot;Local file&quot;"/> <item name="Remote storage" value="&quot;Remote storage&quot;"/> </enum> </arg> <arg type="string" var="$watchlist.properties.tenantId" options="tenant-id" group="Properties"> <help short="The tenantId where the watchlist belongs to"/> </arg> <arg type="dateTime" var="$watchlist.properties.updated" options="updated" group="Properties"> <help short="The last time the watchlist was updated"/> </arg> <arg type="@UserInfo_create" var="$watchlist.properties.updatedBy" options="updated-by" group="Properties"> <help short="Describes a user that updated the watchlist"/> </arg> <arg type="string" var="$watchlist.properties.uploadStatus" options="upload-status" group="Properties"> <help short="The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"/> </arg> <arg type="string" var="$watchlist.properties.watchlistId" options="watchlist-id" group="Properties"> <help short="The id (a Guid) of the watchlist"/> </arg> <arg type="string" var="$watchlist.properties.watchlistType" options="watchlist-type" group="Properties"> <help short="The type of the watchlist"/> </arg> </argGroup> <argGroup name="Watchlist"> <arg type="string" var="$watchlist.etag" options="etag" group="Watchlist"> <help short="Etag of the azure resource"/> </arg> </argGroup> <operation operationId="Watchlists_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}"> <request method="put"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="watchlistAlias" arg="$Path.watchlistAlias" required="True"/> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value="&quot;2022-06-01-preview&quot;"/> <format minLength="1"/> </const> </query> <body> <json> <schema type="object" name="watchlist" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$watchlist.etag"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="contentType" arg="$watchlist.properties.contentType"/> <prop type="dateTime" name="created" arg="$watchlist.properties.created"/> <prop type="object" name="createdBy" arg="$watchlist.properties.createdBy" cls="UserInfo_create"> <prop nullable="True" type="uuid" name="objectId" arg="@UserInfo_create.objectId"/> </prop> <prop type="duration" name="defaultDuration" arg="$watchlist.properties.defaultDuration"/> <prop type="string" name="description" arg="$watchlist.properties.description"/> <prop type="string" name="displayName" arg="$watchlist.properties.displayName" required="True"/> <prop type="boolean" name="isDeleted" arg="$watchlist.properties.isDeleted"/> <prop type="string" name="itemsSearchKey" arg="$watchlist.properties.itemsSearchKey" required="True"/> <prop type="array<string>" name="labels" arg="$watchlist.properties.labels"> <item type="string"/> </prop> <prop type="integer32" name="numberOfLinesToSkip" arg="$watchlist.properties.numberOfLinesToSkip"/> <prop type="string" name="provider" arg="$watchlist.properties.provider" required="True"/> <prop type="string" name="rawContent" arg="$watchlist.properties.rawContent"/> <prop type="string" name="source" arg="$watchlist.properties.source"/> <prop type="string" name="sourceType" arg="$watchlist.properties.sourceType"> <enum> <item value="&quot;Local file&quot;"/> <item value="&quot;Remote storage&quot;"/> </enum> </prop> <prop type="string" name="tenantId" arg="$watchlist.properties.tenantId"/> <prop type="dateTime" name="updated" arg="$watchlist.properties.updated"/> <prop type="@UserInfo_create" name="updatedBy" arg="$watchlist.properties.updatedBy"/> <prop type="string" name="uploadStatus" arg="$watchlist.properties.uploadStatus"/> <prop type="string" name="watchlistAlias" arg="$Path.watchlistAlias"/> <prop type="string" name="watchlistId" arg="$watchlist.properties.watchlistId"/> <prop type="string" name="watchlistType" arg="$watchlist.properties.watchlistType"/> </prop> </schema> </json> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="object"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/watchlists/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="contentType"/> <prop type="dateTime" name="created"/> <prop type="object" name="createdBy" cls="UserInfo_read"> <prop readOnly="True" type="string" name="email"/> <prop readOnly="True" type="string" name="name"/> <prop nullable="True" type="uuid" name="objectId"/> </prop> <prop type="duration" name="defaultDuration"/> <prop type="string" name="description"/> <prop type="string" name="displayName" required="True"/> <prop type="boolean" name="isDeleted"/> <prop type="string" name="itemsSearchKey" required="True"/> <prop type="array<string>" name="labels"> <item type="string"/> </prop> <prop type="integer32" name="numberOfLinesToSkip"/> <prop type="string" name="provider" required="True"/> <prop type="string" name="rawContent"/> <prop type="string" name="source"/> <prop type="string" name="sourceType"> <enum> <item value="&quot;Local file&quot;"/> <item value="&quot;Remote storage&quot;"/> </enum> </prop> <prop type="string" name="tenantId"/> <prop type="dateTime" name="updated"/> <prop type="@UserInfo_read" name="updatedBy"/> <prop type="string" name="uploadStatus"/> <prop type="string" name="watchlistAlias"/> <prop type="string" name="watchlistId"/> <prop type="string" name="watchlistType"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> <command name="update" version="2022-06-01-preview"> <resource id="/subscriptions/{}/resourcegroups/{}/providers/microsoft.operationalinsights/workspaces/{}/providers/microsoft.securityinsights/watchlists/{}" version="2022-06-01-preview" swagger="mgmt-plane/securityinsights/ResourceProviders/Microsoft.SecurityInsights/Paths/L3N1YnNjcmlwdGlvbnMve3N1YnNjcmlwdGlvbklkfS9yZXNvdXJjZUdyb3Vwcy97cmVzb3VyY2VHcm91cE5hbWV9L3Byb3ZpZGVycy9NaWNyb3NvZnQuT3BlcmF0aW9uYWxJbnNpZ2h0cy93b3Jrc3BhY2VzL3t3b3Jrc3BhY2VOYW1lfS9wcm92aWRlcnMvTWljcm9zb2Z0LlNlY3VyaXR5SW5zaWdodHMvd2F0Y2hsaXN0cy97d2F0Y2hsaXN0QWxpYXN9/V/MjAyMi0wNi0wMS1wcmV2aWV3"/> <argGroup name=""> <arg type="ResourceGroupName" var="$Path.resourceGroupName" options="resource-group g" required="True" idPart="resource_group"/> <arg type="SubscriptionId" var="$Path.subscriptionId" options="subscription" required="True" idPart="subscription"/> <arg type="string" var="$Path.watchlistAlias" options="watchlist-alias name n" required="True" idPart="child_name_1"> <help short="Watchlist Alias"/> </arg> <arg type="string" var="$Path.workspaceName" options="workspace-name w" required="True" stage="Experimental" idPart="name"> <help short="The name of the workspace."/> <format maxLength="90" minLength="1"/> </arg> </argGroup> <argGroup name="Properties"> <arg nullable="True" type="string" var="$watchlist.properties.contentType" options="content-type" group="Properties"> <help short="The content type of the raw content. Example : text/csv or text/tsv "/> </arg> <arg nullable="True" type="dateTime" var="$watchlist.properties.created" options="created" group="Properties"> <help short="The time the watchlist was created"/> </arg> <arg nullable="True" type="object" var="$watchlist.properties.createdBy" options="created-by" group="Properties" cls="UserInfo_update"> <help short="Describes a user that created the watchlist"/> <arg nullable="True" type="uuid" var="@UserInfo_update.objectId" options="object-id"> <help short="The object id of the user."/> </arg> </arg> <arg nullable="True" type="duration" var="$watchlist.properties.defaultDuration" options="default-duration" group="Properties"> <help short="The default duration of a watchlist (in ISO 8601 duration format)"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.description" options="description" group="Properties"> <help short="A description of the watchlist"/> </arg> <arg type="string" var="$watchlist.properties.displayName" options="display-name" group="Properties"> <help short="The display name of the watchlist"/> </arg> <arg nullable="True" type="boolean" var="$watchlist.properties.isDeleted" options="is-deleted" group="Properties"> <help short="A flag that indicates if the watchlist is deleted or not"/> </arg> <arg type="string" var="$watchlist.properties.itemsSearchKey" options="items-search-key" group="Properties"> <help short="The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address."/> </arg> <arg nullable="True" type="array<string>" var="$watchlist.properties.labels" options="labels" group="Properties"> <help short="List of labels relevant to this watchlist"/> <item type="string"/> </arg> <arg nullable="True" type="integer32" var="$watchlist.properties.numberOfLinesToSkip" options="skip-num" group="Properties"> <help short="The number of lines in a csv/tsv content to skip before the header"/> </arg> <arg type="string" var="$watchlist.properties.provider" options="provider" group="Properties"> <help short="The provider of the watchlist"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.rawContent" options="raw-content" group="Properties"> <help short="The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.source" options="source" group="Properties"> <help short="The filename of the watchlist, called 'source'"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.sourceType" options="source-type" group="Properties"> <help short="The sourceType of the watchlist"/> <enum> <item name="Local file" value="&quot;Local file&quot;"/> <item name="Remote storage" value="&quot;Remote storage&quot;"/> </enum> </arg> <arg nullable="True" type="string" var="$watchlist.properties.tenantId" options="tenant-id" group="Properties"> <help short="The tenantId where the watchlist belongs to"/> </arg> <arg nullable="True" type="dateTime" var="$watchlist.properties.updated" options="updated" group="Properties"> <help short="The last time the watchlist was updated"/> </arg> <arg nullable="True" type="@UserInfo_update" var="$watchlist.properties.updatedBy" options="updated-by" group="Properties"> <help short="Describes a user that updated the watchlist"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.uploadStatus" options="upload-status" group="Properties"> <help short="The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.watchlistId" options="watchlist-id" group="Properties"> <help short="The id (a Guid) of the watchlist"/> </arg> <arg nullable="True" type="string" var="$watchlist.properties.watchlistType" options="watchlist-type" group="Properties"> <help short="The type of the watchlist"/> </arg> </argGroup> <argGroup name="Watchlist"> <arg nullable="True" type="string" var="$watchlist.etag" options="etag" group="Watchlist"> <help short="Etag of the azure resource"/> </arg> </argGroup> <operation operationId="Watchlists_Get"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}"> <request method="get"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="watchlistAlias" arg="$Path.watchlistAlias" required="True"/> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value="&quot;2022-06-01-preview&quot;"/> <format minLength="1"/> </const> </query> </request> <response statusCode="200"> <body> <json var="$Instance"> <schema type="object" cls="Watchlist_read"> <prop type="string" name="etag"/> <prop readOnly="True" type="ResourceId" name="id"> <format template="/subscriptions/{}/resourceGroups/{}/providers/Microsoft.OperationalInsights/workspaces/{}/providers/Microsoft.SecurityInsights/watchlists/{}"/> </prop> <prop readOnly="True" type="string" name="name"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="contentType"/> <prop type="dateTime" name="created"/> <prop type="object" name="createdBy" cls="UserInfo_read"> <prop readOnly="True" type="string" name="email"/> <prop readOnly="True" type="string" name="name"/> <prop nullable="True" type="uuid" name="objectId"/> </prop> <prop type="duration" name="defaultDuration"/> <prop type="string" name="description"/> <prop type="string" name="displayName" required="True"/> <prop type="boolean" name="isDeleted"/> <prop type="string" name="itemsSearchKey" required="True"/> <prop type="array<string>" name="labels"> <item type="string"/> </prop> <prop type="integer32" name="numberOfLinesToSkip"/> <prop type="string" name="provider" required="True"/> <prop type="string" name="rawContent"/> <prop type="string" name="source"/> <prop type="string" name="sourceType"> <enum> <item value="&quot;Local file&quot;"/> <item value="&quot;Remote storage&quot;"/> </enum> </prop> <prop type="string" name="tenantId"/> <prop type="dateTime" name="updated"/> <prop type="@UserInfo_read" name="updatedBy"/> <prop type="string" name="uploadStatus"/> <prop type="string" name="watchlistAlias"/> <prop type="string" name="watchlistId"/> <prop type="string" name="watchlistType"/> </prop> <prop readOnly="True" type="object" name="systemData"> <prop readOnly="True" type="dateTime" name="createdAt"/> <prop readOnly="True" type="string" name="createdBy"/> <prop readOnly="True" type="string" name="createdByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> <prop readOnly="True" type="dateTime" name="lastModifiedAt"/> <prop readOnly="True" type="string" name="lastModifiedBy"/> <prop readOnly="True" type="string" name="lastModifiedByType"> <enum> <item value="&quot;Application&quot;"/> <item value="&quot;Key&quot;"/> <item value="&quot;ManagedIdentity&quot;"/> <item value="&quot;User&quot;"/> </enum> </prop> </prop> <prop readOnly="True" type="string" name="type"/> </schema> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <operation> <instanceUpdate instance="$Instance"> <json> <schema type="object" name="watchlist" required="True" clientFlatten="True"> <prop type="string" name="etag" arg="$watchlist.etag"/> <prop type="object" name="properties" clientFlatten="True"> <prop type="string" name="contentType" arg="$watchlist.properties.contentType"/> <prop type="dateTime" name="created" arg="$watchlist.properties.created"/> <prop type="object" name="createdBy" arg="$watchlist.properties.createdBy" cls="UserInfo_update"> <prop nullable="True" type="uuid" name="objectId" arg="@UserInfo_update.objectId"/> </prop> <prop type="duration" name="defaultDuration" arg="$watchlist.properties.defaultDuration"/> <prop type="string" name="description" arg="$watchlist.properties.description"/> <prop type="string" name="displayName" arg="$watchlist.properties.displayName" required="True"/> <prop type="boolean" name="isDeleted" arg="$watchlist.properties.isDeleted"/> <prop type="string" name="itemsSearchKey" arg="$watchlist.properties.itemsSearchKey" required="True"/> <prop type="array<string>" name="labels" arg="$watchlist.properties.labels"> <item type="string"/> </prop> <prop type="integer32" name="numberOfLinesToSkip" arg="$watchlist.properties.numberOfLinesToSkip"/> <prop type="string" name="provider" arg="$watchlist.properties.provider" required="True"/> <prop type="string" name="rawContent" arg="$watchlist.properties.rawContent"/> <prop type="string" name="source" arg="$watchlist.properties.source"/> <prop type="string" name="sourceType" arg="$watchlist.properties.sourceType"> <enum> <item value="&quot;Local file&quot;"/> <item value="&quot;Remote storage&quot;"/> </enum> </prop> <prop type="string" name="tenantId" arg="$watchlist.properties.tenantId"/> <prop type="dateTime" name="updated" arg="$watchlist.properties.updated"/> <prop type="@UserInfo_update" name="updatedBy" arg="$watchlist.properties.updatedBy"/> <prop type="string" name="uploadStatus" arg="$watchlist.properties.uploadStatus"/> <prop type="string" name="watchlistAlias" arg="$Path.watchlistAlias"/> <prop type="string" name="watchlistId" arg="$watchlist.properties.watchlistId"/> <prop type="string" name="watchlistType" arg="$watchlist.properties.watchlistType"/> </prop> </schema> </json> </instanceUpdate> </operation> <operation operationId="Watchlists_CreateOrUpdate"> <http path="/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}"> <request method="put"> <path> <param type="string" name="resourceGroupName" arg="$Path.resourceGroupName" required="True"> <format maxLength="90" minLength="1"/> </param> <param type="string" name="subscriptionId" arg="$Path.subscriptionId" required="True"> <format minLength="1"/> </param> <param type="string" name="watchlistAlias" arg="$Path.watchlistAlias" required="True"/> <param type="string" name="workspaceName" arg="$Path.workspaceName" required="True"> <format maxLength="90" minLength="1"/> </param> </path> <query> <const readOnly="True" const="True" type="string" name="api-version" required="True"> <default value="&quot;2022-06-01-preview&quot;"/> <format minLength="1"/> </const> </query> <body> <json ref="$Instance"/> </body> </request> <response statusCode="200 201"> <body> <json var="$Instance"> <schema type="@Watchlist_read"/> </json> </body> </response> <response isError="True"> <body> <json> <schema type="@ODataV4Format"/> </json> </body> </response> </http> </operation> <output type="object" ref="$Instance" clientFlatten="True"/> </command> </commandGroup> </CodeGen>