Security Center
API spec for Microsoft
COMMUNITYBEARER0 INSTALLS
OpenAPI Specificationv3.0
{
"swagger": "2.0",
"schemes": [
"https"
],
"host": "management.azure.com",
"info": {
"description": "API spec for Microsoft.Security (Azure Security Center) resource provider",
"title": "Security Center",
"version": "2019-08-01",
"x-apisguru-categories": [
"cloud"
],
"x-logo": {
"url": "https://api.apis.guru/v2/cache/logo/https_assets.onestore.ms_cdnfiles_onestorerolling-1606-01000_shell_v3_images_logo_microsoft.png"
},
"x-origin": [
{
"format": "swagger",
"url": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/security/resource-manager/Microsoft.Security/stable/2019-08-01/iotSecuritySolutionAnalytics.json",
"version": "2.0"
}
],
"x-preferred": true,
"x-providerName": "azure.com",
"x-serviceName": "security-iotSecuritySolutionAnalytics",
"x-tags": [
"Azure",
"Microsoft"
]
},
"consumes": [
"application/json"
],
"produces": [
"application/json"
],
"securityDefinitions": {
"azure_auth": {
"authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize",
"description": "Azure Active Directory OAuth2 Flow",
"flow": "implicit",
"scopes": {
"user_impersonation": "impersonate your user account"
},
"type": "oauth2"
}
},
"security": [
{
"azure_auth": [
"user_impersonation"
]
}
],
"parameters": {
"AggregatedAlertName": {
"description": "Identifier of the aggregated alert.",
"in": "path",
"name": "aggregatedAlertName",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
"AggregatedRecommendationName": {
"description": "Name of the recommendation aggregated for this query.",
"in": "path",
"name": "aggregatedRecommendationName",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
"SolutionName": {
"description": "The name of the IoT Security solution.",
"in": "path",
"name": "solutionName",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
}
},
"paths": {
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels": {
"get": {
"description": "Use this method to get IoT security Analytics metrics in an array.",
"operationId": "IotSecuritySolutionAnalytics_List",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecuritySolutionAnalyticsModelList"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"IoT Security Solution Analytics"
],
"x-ms-examples": {
"Get Security Solution Analytics": {
"parameters": {
"api-version": "2019-08-01",
"resourceGroupName": "MyGroup",
"solutionName": "default",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"properties": {
"devicesMetrics": [
{
"date": "2019-02-01T00:00:00Z",
"devicesMetrics": {
"high": 3,
"low": 70,
"medium": 15
}
},
{
"date": "2019-02-02T00:00:00Z",
"devicesMetrics": {
"high": 3,
"low": 65,
"medium": 45
}
}
],
"metrics": {
"high": 5,
"low": 102,
"medium": 200
},
"mostPrevalentDeviceAlerts": [
{
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range",
"alertsCount": 200,
"reportedSeverity": "Low"
},
{
"alertDisplayName": "Custom Alert - execution of a process that is not allowed",
"alertsCount": 170,
"reportedSeverity": "Medium"
},
{
"alertDisplayName": "Successful Bruteforce",
"alertsCount": 150,
"reportedSeverity": "Low"
}
],
"mostPrevalentDeviceRecommendations": [
{
"devicesCount": 200,
"recommendationDisplayName": "Install the Azure Security of Things Agent",
"reportedSeverity": "Low"
},
{
"devicesCount": 170,
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module",
"reportedSeverity": "Low"
},
{
"devicesCount": 150,
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices",
"reportedSeverity": "Medium"
}
],
"topAlertedDevices": [
{
"alertsCount": 200,
"deviceId": "id1"
},
{
"alertsCount": 170,
"deviceId": "id2"
},
{
"alertsCount": 150,
"deviceId": "id3"
}
],
"unhealthyDeviceCount": 1200
},
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModelList"
}
]
}
}
}
}
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default": {
"get": {
"description": "Use this method to get IoT Security Analytics metrics.",
"operationId": "IotSecuritySolutionAnalytics_Get",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecuritySolutionAnalyticsModel"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"IoT Security Solution Analytics"
],
"x-ms-examples": {
"Get Security Solution Analytics": {
"parameters": {
"api-version": "2019-08-01",
"resourceGroupName": "MyGroup",
"solutionName": "default",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default",
"properties": {
"devicesMetrics": [
{
"date": "2019-02-01T00:00:00Z",
"devicesMetrics": {
"high": 3,
"low": 70,
"medium": 15
}
},
{
"date": "2019-02-02T00:00:00Z",
"devicesMetrics": {
"high": 3,
"low": 65,
"medium": 45
}
}
],
"metrics": {
"high": 5,
"low": 102,
"medium": 200
},
"mostPrevalentDeviceAlerts": [
{
"alertDisplayName": "Custom Alert - number of device to cloud messages in AMQP protocol is not in the allowed range",
"alertsCount": 200,
"reportedSeverity": "Low"
},
{
"alertDisplayName": "Custom Alert - execution of a process that is not allowed",
"alertsCount": 170,
"reportedSeverity": "Medium"
},
{
"alertDisplayName": "Successful Bruteforce",
"alertsCount": 150,
"reportedSeverity": "Low"
}
],
"mostPrevalentDeviceRecommendations": [
{
"devicesCount": 200,
"recommendationDisplayName": "Install the Azure Security of Things Agent",
"reportedSeverity": "Low"
},
{
"devicesCount": 170,
"recommendationDisplayName": "High level permissions configured in Edge model twin for Edge module",
"reportedSeverity": "Low"
},
{
"devicesCount": 150,
"recommendationDisplayName": "Same Authentication Credentials used by multiple devices",
"reportedSeverity": "Medium"
}
],
"topAlertedDevices": [
{
"alertsCount": 200,
"deviceId": "id1"
},
{
"alertsCount": 170,
"deviceId": "id2"
},
{
"alertsCount": 150,
"deviceId": "id3"
}
],
"unhealthyDeviceCount": 1200
},
"type": "Microsoft.Security/IoTSecuritySolutionAnalyticsModel"
}
}
}
}
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts": {
"get": {
"description": "Use this method to get the aggregated alert list of yours IoT Security solution.",
"operationId": "IotSecuritySolutionsAnalyticsAggregatedAlert_List",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
},
{
"description": "Number of results to retrieve.",
"in": "query",
"name": "$top",
"required": false,
"type": "integer"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecurityAggregatedAlertList"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"Aggregated Alert"
],
"x-ms-examples": {
"Get the aggregated alert list of yours IoT Security solution": {
"parameters": {
"api-version": "2019-08-01",
"resourceGroupName": "MyGroup",
"solutionName": "default",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"properties": {
"actionTaken": "Detected",
"aggregatedDateUtc": "2019-02-02",
"alertDisplayName": "Failed Bruteforce",
"alertType": "IoT_Bruteforce_Fail",
"count": 50,
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.",
"effectedResourceType": "IoT Device",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"remediationSteps": "",
"reportedSeverity": "Low",
"systemSource": "Devices",
"topDevicesList": [
{
"alertsCount": 45,
"deviceId": "testDevice1",
"lastOccurrence": "10:42"
},
{
"alertsCount": 30,
"deviceId": "testDevice2",
"lastOccurrence": "15:42"
}
],
"vendorName": "Microsoft"
},
"type": "Microsoft.Security/IoTSecurityAggregatedAlert"
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Success/2019-02-02",
"properties": {
"actionTaken": "Detected",
"aggregatedDateUtc": "2019-02-02",
"alertDisplayName": "Successful Bruteforce",
"alertType": "IoT_Bruteforce_Success",
"count": 600000,
"description": "Multiple unsuccsseful login attempts identified followed by a succssful login. A Bruteforce attack on the device was Successfule",
"effectedResourceType": "IoT Device",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"remediationSteps": "",
"reportedSeverity": "Low",
"systemSource": "Devices",
"topDevicesList": [
{
"alertsCount": 12321,
"deviceId": "testDevice1",
"lastOccurrence": "10:42"
},
{
"alertsCount": 455,
"deviceId": "testDevice2",
"lastOccurrence": "15:42"
}
],
"vendorName": "Microsoft"
},
"type": "Microsoft.Security/IoTSecurityAggregatedAlert"
}
]
}
}
}
}
},
"x-ms-pageable": {
"nextLinkName": "nextLink"
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}": {
"get": {
"description": "Use this method to get a single the aggregated alert of yours IoT Security solution. This aggregation is performed by alert name.",
"operationId": "IotSecuritySolutionsAnalyticsAggregatedAlert_Get",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
},
{
"$ref": "#/parameters/AggregatedAlertName"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecurityAggregatedAlert"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"Aggregated Alert"
],
"x-ms-examples": {
"Get the aggregated security analytics alert of yours IoT Security solution. This aggregation is performed by alert name": {
"parameters": {
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02",
"api-version": "2019-08-01",
"resourceGroupName": "MyGroup",
"solutionName": "default",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"name": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/MyGroup/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_Bruteforce_Fail/2019-02-02",
"properties": {
"actionTaken": "Detected",
"aggregatedDateUtc": "2019-02-02",
"alertDisplayName": "Failed Bruteforce",
"alertType": "IoT_Bruteforce_Fail",
"count": 50,
"description": "Multiple unsuccsseful login attempts identified. A Bruteforce attack on the device failed.",
"effectedResourceType": "IoT Device",
"logAnalyticsQuery": "SecurityAlert | where tolower(ResourceId) == tolower('/subscriptions/b77ec8a9-04ed-48d2-a87a-e5887b978ba6/resourceGroups/IoT-Solution-DemoEnv/providers/Microsoft.Devices/IotHubs/rtogm-hub') and tolower(AlertName) == tolower('Custom Alert - number of device to cloud messages in MQTT protocol is not in the allowed range') | extend DeviceId=parse_json(ExtendedProperties)['DeviceId'] | project DeviceId, TimeGenerated, DisplayName, AlertSeverity, Description, RemediationSteps, ExtendedProperties",
"remediationSteps": "",
"reportedSeverity": "Low",
"systemSource": "Devices",
"topDevicesList": [
{
"alertsCount": 100,
"deviceId": "testDevice1",
"lastOccurrence": "10:42"
},
{
"alertsCount": 80,
"deviceId": "testDevice2",
"lastOccurrence": "15:42"
}
],
"vendorName": "Microsoft"
},
"type": "Microsoft.Security/IoTSecurityAggregatedAlert"
}
}
}
}
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedAlerts/{aggregatedAlertName}/dismiss": {
"post": {
"description": "Use this method to dismiss an aggregated IoT Security Solution Alert.",
"operationId": "IotSecuritySolutionsAnalyticsAggregatedAlert_Dismiss",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
},
{
"$ref": "#/parameters/AggregatedAlertName"
}
],
"responses": {
"200": {
"description": "This aggregate alert is permanently dismissed."
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"Aggregated Alert"
],
"x-ms-examples": {
"Dismiss an aggregated IoT Security Solution Alert": {
"parameters": {
"aggregatedAlertName": "IoT_Bruteforce_Fail/2019-02-02/dismiss",
"api-version": "2019-08-01",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23"
},
"responses": {
"200": {}
}
}
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations": {
"get": {
"description": "Use this method to get the list of aggregated security analytics recommendations of yours IoT Security solution.",
"operationId": "IotSecuritySolutionsAnalyticsRecommendation_List",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
},
{
"description": "Number of results to retrieve.",
"in": "query",
"name": "$top",
"required": false,
"type": "integer"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecurityAggregatedRecommendationList"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"Aggregated Recommendation"
],
"x-ms-examples": {
"Get the list of aggregated security analytics recommendations of yours IoT Security solution": {
"parameters": {
"api-version": "2019-08-01",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default",
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735"
},
"responses": {
"200": {
"body": {
"value": [
{
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"properties": {
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device",
"detectedBy": "Microsoft",
"healthyDevices": 10000,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"recommendationName": "OpenPortsOnDevice",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"remediationSteps": "",
"reportedSeverity": "Low",
"unhealthyDeviceCount": 200
},
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation"
},
{
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/TooLargeIPRange",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/IoT_InstallAgent",
"properties": {
"description": "An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors.",
"detectedBy": "Microsoft",
"healthyDevices": 130000,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('TooLargeIPRange')",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"recommendationName": "TooLargeIPRange",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"remediationSteps": "",
"reportedSeverity": "High",
"unhealthyDeviceCount": 1
},
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation"
}
]
}
}
}
}
},
"x-ms-pageable": {
"nextLinkName": "nextLink"
}
}
},
"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/iotSecuritySolutions/{solutionName}/analyticsModels/default/aggregatedRecommendations/{aggregatedRecommendationName}": {
"get": {
"description": "Use this method to get the aggregated security analytics recommendation of yours IoT Security solution. This aggregation is performed by recommendation name.",
"operationId": "IotSecuritySolutionsAnalyticsRecommendation_Get",
"parameters": [
{
"description": "API version for the operation",
"in": "query",
"name": "api-version",
"required": true,
"type": "string"
},
{
"description": "Azure subscription ID",
"in": "path",
"name": "subscriptionId",
"pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$",
"required": true,
"type": "string"
},
{
"description": "The name of the resource group within the user's subscription. The name is case insensitive.",
"in": "path",
"maxLength": 90,
"minLength": 1,
"name": "resourceGroupName",
"pattern": "^[-\\w\\._\\(\\)]+$",
"required": true,
"type": "string",
"x-ms-parameter-location": "method"
},
{
"$ref": "#/parameters/SolutionName"
},
{
"$ref": "#/parameters/AggregatedRecommendationName"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/IoTSecurityAggregatedRecommendation"
}
},
"default": {
"description": "Error response describing why the operation failed.",
"schema": {
"description": "Error response structure.",
"properties": {
"error": {
"description": "Error details.",
"properties": {
"code": {
"description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.",
"readOnly": true,
"type": "string"
},
"message": {
"description": "A message describing the error, intended to be suitable for display in a user interface.",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-external": true
}
},
"type": "object",
"x-ms-external": true
}
}
},
"tags": [
"Aggregated Recommendation"
],
"x-ms-examples": {
"Get the aggregated security analytics recommendation of yours IoT Security solution": {
"parameters": {
"aggregatedRecommendationName": "OpenPortsOnDevice",
"api-version": "2019-08-01",
"resourceGroupName": "IoTEdgeResources",
"solutionName": "default",
"subscriptionId": "075423e9-7d33-4166-8bdf-3920b04e3735"
},
"responses": {
"200": {
"body": {
"id": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"name": "/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Security/IoTSecuritySolutions/Locations/eastus/default/OpenPortsOnDevice",
"properties": {
"description": "An allowed firewall policy was found in main firewall Chains (INPUT/OUTPUT). The policy should Deny all traffic by default define rules to allow necessary communication to/from the device",
"detectedBy": "Microsoft",
"healthyDevices": 10000,
"logAnalyticsQuery": "SecurityRecommendation | where tolower(AssessedResourceId) == tolower('/subscriptions/075423e9-7d33-4166-8bdf-3920b04e3735/resourceGroups/IoTEdgeResources/providers/Microsoft.Devices/IotHubs/t-ofdadu-hub') and tolower(RecommendationName) == tolower('OpenPortsOnDevice')",
"recommendationDisplayName": "Permissive firewall policy in one of the chains was found",
"recommendationName": "OpenPortsOnDevice",
"recommendationTypeId": "{20ff7fc3-e762-44dd-bd96-b71116dcdc23}",
"remediationSteps": "",
"reportedSeverity": "Low",
"unhealthyDeviceCount": 200
},
"type": "Microsoft.Security/IoTSecurityAggregatedRecommendation"
}
}
}
}
}
}
}
},
"definitions": {
"IoTSecurityAggregatedAlert": {
"allOf": [
{
"description": "Describes an Azure resource.",
"properties": {
"id": {
"description": "Resource Id",
"readOnly": true,
"type": "string"
},
"name": {
"description": "Resource name",
"readOnly": true,
"type": "string"
},
"type": {
"description": "Resource type",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-azure-resource": true
},
{
"$ref": "#/definitions/TagsResource"
}
],
"description": "Security Solution Aggregated Alert information",
"properties": {
"properties": {
"$ref": "#/definitions/IoTSecurityAggregatedAlertProperties",
"description": "IoT Security solution aggregated alert details.",
"x-ms-client-flatten": true
}
},
"type": "object"
},
"IoTSecurityAggregatedAlertList": {
"description": "List of IoT Security solution aggregated alert data.",
"properties": {
"nextLink": {
"description": "When there is too much alert data for one page, use this URI to fetch the next page.",
"readOnly": true,
"type": "string"
},
"value": {
"description": "List of aggregated alerts data.",
"items": {
"$ref": "#/definitions/IoTSecurityAggregatedAlert"
},
"type": "array"
}
},
"required": [
"value"
]
},
"IoTSecurityAggregatedAlertProperties": {
"description": "IoT Security solution aggregated alert details.",
"properties": {
"actionTaken": {
"description": "IoT Security solution alert response.",
"readOnly": true,
"type": "string"
},
"aggregatedDateUtc": {
"description": "Date of detection.",
"format": "date",
"readOnly": true,
"type": "string"
},
"alertDisplayName": {
"description": "Display name of the alert type.",
"readOnly": true,
"type": "string"
},
"alertType": {
"description": "Name of the alert type.",
"readOnly": true,
"type": "string"
},
"count": {
"description": "Number of alerts occurrences within the aggregated time window.",
"readOnly": true,
"type": "integer"
},
"description": {
"description": "Description of the suspected vulnerability and meaning.",
"readOnly": true,
"type": "string"
},
"effectedResourceType": {
"description": "Azure resource ID of the resource that received the alerts.",
"readOnly": true,
"type": "string"
},
"logAnalyticsQuery": {
"description": "Log analytics query for getting the list of affected devices/alerts.",
"readOnly": true,
"type": "string"
},
"remediationSteps": {
"description": "Recommended steps for remediation.",
"readOnly": true,
"type": "string"
},
"reportedSeverity": {
"description": "Assessed alert severity.",
"enum": [
"Informational",
"Low",
"Medium",
"High"
],
"readOnly": true,
"type": "string",
"x-ms-enum": {
"modelAsString": true,
"name": "reportedSeverity",
"values": [
{
"value": "Informational"
},
{
"value": "Low"
},
{
"value": "Medium"
},
{
"value": "High"
}
]
}
},
"systemSource": {
"description": "The type of the alerted resource (Azure, Non-Azure).",
"readOnly": true,
"type": "string"
},
"topDevicesList": {
"description": "10 devices with the highest number of occurrences of this alert type, on this day.",
"items": {
"properties": {
"alertsCount": {
"description": "Number of alerts raised for this device.",
"readOnly": true,
"type": "integer"
},
"deviceId": {
"description": "Name of the device.",
"readOnly": true,
"type": "string"
},
"lastOccurrence": {
"description": "Most recent time this alert was raised for this device, on this day.",
"readOnly": true,
"type": "string"
}
}
},
"readOnly": true,
"type": "array"
},
"vendorName": {
"description": "Name of the organization that raised the alert.",
"readOnly": true,
"type": "string"
}
},
"type": "object"
},
"IoTSecurityAggregatedRecommendation": {
"allOf": [
{
"description": "Describes an Azure resource.",
"properties": {
"id": {
"description": "Resource Id",
"readOnly": true,
"type": "string"
},
"name": {
"description": "Resource name",
"readOnly": true,
"type": "string"
},
"type": {
"description": "Resource type",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-azure-resource": true
},
{
"$ref": "#/definitions/TagsResource"
}
],
"description": "IoT Security solution recommendation information.",
"properties": {
"properties": {
"$ref": "#/definitions/IoTSecurityAggregatedRecommendationProperties",
"description": "Security Solution data",
"x-ms-client-flatten": true
}
},
"type": "object"
},
"IoTSecurityAggregatedRecommendationList": {
"description": "List of IoT Security solution aggregated recommendations.",
"properties": {
"nextLink": {
"description": "When there is too much alert data for one page, use this URI to fetch the next page.",
"readOnly": true,
"type": "string"
},
"value": {
"description": "List of aggregated recommendations data.",
"items": {
"$ref": "#/definitions/IoTSecurityAggregatedRecommendation"
},
"type": "array"
}
},
"required": [
"value"
]
},
"IoTSecurityAggregatedRecommendationProperties": {
"description": "IoT Security solution aggregated recommendation information",
"properties": {
"description": {
"description": "Description of the suspected vulnerability and meaning.",
"readOnly": true,
"type": "string"
},
"detectedBy": {
"description": "Name of the organization that made the recommendation.",
"readOnly": true,
"type": "string"
},
"healthyDevices": {
"description": "Number of healthy devices within the IoT Security solution.",
"readOnly": true,
"type": "integer"
},
"logAnalyticsQuery": {
"description": "Log analytics query for getting the list of affected devices/alerts.",
"readOnly": true,
"type": "string"
},
"recommendationDisplayName": {
"description": "Display name of the recommendation type.",
"readOnly": true,
"type": "string"
},
"recommendationName": {
"description": "Name of the recommendation.",
"type": "string"
},
"recommendationTypeId": {
"description": "Recommendation-type GUID.",
"readOnly": true,
"type": "string"
},
"remediationSteps": {
"description": "Recommended steps for remediation",
"readOnly": true,
"type": "string"
},
"reportedSeverity": {
"description": "Assessed recommendation severity.",
"enum": [
"Informational",
"Low",
"Medium",
"High"
],
"readOnly": true,
"type": "string",
"x-ms-enum": {
"modelAsString": true,
"name": "reportedSeverity",
"values": [
{
"value": "Informational"
},
{
"value": "Low"
},
{
"value": "Medium"
},
{
"value": "High"
}
]
}
},
"unhealthyDeviceCount": {
"description": "Number of unhealthy devices within the IoT Security solution.",
"readOnly": true,
"type": "integer"
}
},
"type": "object"
},
"IoTSecurityAlertedDevice": {
"description": "Statistical information about the number of alerts per device during last set number of days.",
"properties": {
"alertsCount": {
"description": "Number of alerts raised for this device.",
"readOnly": true,
"type": "integer"
},
"deviceId": {
"description": "Device identifier.",
"readOnly": true,
"type": "string"
}
},
"type": "object"
},
"IoTSecurityAlertedDevicesList": {
"description": "List of devices with open alerts including the count of alerts per device.",
"items": {
"$ref": "#/definitions/IoTSecurityAlertedDevice"
},
"type": "array"
},
"IoTSecurityDeviceAlert": {
"description": "Statistical information about the number of alerts per alert type during last set number of days",
"properties": {
"alertDisplayName": {
"description": "Display name of the alert",
"readOnly": true,
"type": "string"
},
"alertsCount": {
"description": "Number of alerts raised for this alert type.",
"readOnly": true,
"type": "integer"
},
"reportedSeverity": {
"description": "Assessed Alert severity.",
"enum": [
"Informational",
"Low",
"Medium",
"High"
],
"readOnly": true,
"type": "string",
"x-ms-enum": {
"modelAsString": true,
"name": "reportedSeverity",
"values": [
{
"value": "Informational"
},
{
"value": "Low"
},
{
"value": "Medium"
},
{
"value": "High"
}
]
}
}
},
"type": "object"
},
"IoTSecurityDeviceAlertsList": {
"description": "List of alerts with the count of raised alerts",
"items": {
"$ref": "#/definitions/IoTSecurityDeviceAlert"
},
"type": "array"
},
"IoTSecurityDeviceRecommendation": {
"description": "Statistical information about the number of recommendations per device, per recommendation type.",
"properties": {
"devicesCount": {
"description": "Number of devices with this recommendation.",
"readOnly": true,
"type": "integer"
},
"recommendationDisplayName": {
"description": "Display name of the recommendation.",
"readOnly": true,
"type": "string"
},
"reportedSeverity": {
"description": "Assessed recommendation severity.",
"enum": [
"Informational",
"Low",
"Medium",
"High"
],
"readOnly": true,
"type": "string",
"x-ms-enum": {
"modelAsString": true,
"name": "reportedSeverity",
"values": [
{
"value": "Informational"
},
{
"value": "Low"
},
{
"value": "Medium"
},
{
"value": "High"
}
]
}
}
},
"type": "object"
},
"IoTSecurityDeviceRecommendationsList": {
"description": "List of aggregated recommendation data, per recommendation type, per device.",
"items": {
"$ref": "#/definitions/IoTSecurityDeviceRecommendation"
},
"type": "array"
},
"IoTSecuritySolutionAnalyticsModel": {
"allOf": [
{
"description": "Describes an Azure resource.",
"properties": {
"id": {
"description": "Resource Id",
"readOnly": true,
"type": "string"
},
"name": {
"description": "Resource name",
"readOnly": true,
"type": "string"
},
"type": {
"description": "Resource type",
"readOnly": true,
"type": "string"
}
},
"type": "object",
"x-ms-azure-resource": true
}
],
"description": "Security analytics of your IoT Security solution",
"properties": {
"properties": {
"$ref": "#/definitions/IoTSecuritySolutionAnalyticsModelProperties",
"description": "Security Solution Aggregated Alert data",
"x-ms-client-flatten": true
}
},
"type": "object"
},
"IoTSecuritySolutionAnalyticsModelList": {
"description": "List of Security analytics of your IoT Security solution",
"properties": {
"nextLink": {
"description": "When there is too much alert data for one page, use this URI to fetch the next page.",
"readOnly": true,
"type": "string"
},
"value": {
"description": "List of Security analytics of your IoT Security solution",
"items": {
"$ref": "#/definitions/IoTSecuritySolutionAnalyticsModel"
},
"type": "array"
}
},
"required": [
"value"
]
},
"IoTSecuritySolutionAnalyticsModelProperties": {
"description": "Security analytics properties of your IoT Security solution",
"properties": {
"devicesMetrics": {
"description": "List of device metrics by the aggregation date.",
"items": {
"properties": {
"date": {
"description": "Aggregation of IoT Security solution device alert metrics by date.",
"format": "date-time",
"type": "string"
},
"devicesMetrics": {
"$ref": "#/definitions/IoTSeverityMetrics",
"description": "Device alert count by severity.",
"type": "object"
}
}
},
"readOnly": true,
"type": "array"
},
"metrics": {
"$ref": "#/definitions/IoTSeverityMetrics",
"description": "Security analytics of your IoT Security solution.",
"readOnly": true,
"type": "object"
},
"mostPrevalentDeviceAlerts": {
"$ref": "#/definitions/IoTSecurityDeviceAlertsList",
"description": "List of the 3 most prevalent device alerts.",
"type": "object"
},
"mostPrevalentDeviceRecommendations": {
"$ref": "#/definitions/IoTSecurityDeviceRecommendationsList",
"description": "List of the 3 most prevalent device recommendations.",
"type": "object"
},
"topAlertedDevices": {
"$ref": "#/definitions/IoTSecurityAlertedDevicesList",
"description": "List of the 3 devices with the most alerts.",
"type": "object"
},
"unhealthyDeviceCount": {
"description": "Number of unhealthy devices within your IoT Security solution.",
"readOnly": true,
"type": "integer"
}
}
},
"IoTSeverityMetrics": {
"description": "IoT Security solution analytics severity metrics.",
"properties": {
"high": {
"description": "Count of high severity alerts/recommendations.",
"type": "integer"
},
"low": {
"description": "Count of low severity alerts/recommendations.",
"type": "integer"
},
"medium": {
"description": "Count of medium severity alerts/recommendations.",
"type": "integer"
}
},
"type": "object"
},
"TagsResource": {
"description": "A container holding only the Tags for a resource, allowing the user to update the tags.",
"properties": {
"tags": {
"additionalProperties": {
"type": "string"
},
"description": "Resource tags",
"type": "object"
}
}
}
}
}