Microsoft.OperationalInsights (preview:2025-07-01)

2026/01/04 • 27 updated methods

Actions_ListByAlertRule (updated)
Description Gets all actions of alert rule.
Reference Link ¶

⚶ Changes

{
  "#id": "Actions_ListByAlertRule",
  "$responses": {
    "200": {
      "$properties": {
        "value": {
          "$properties": {
            "@added_fe361e96812746c495dd5cd309fd75d4": {
              "#name": "etag",
              "Description": "ETag of the action.",
              "Required": false,
              "Type": "string"
            }
          }
        }
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
ruleId:
{
Description: Alert rule ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of actions. ,
Required: False ,
}
string ,
value:
{
Description: Array of actions. ,
Required: True ,
}
[
{
etag:
{
Description: ETag of the action. ,
Required: False ,
}
string ,
properties:
{
Description: Action properties for get request ,
Required: False ,
}
{
workflowId:
{
Description: The name of the logic app's workflow. ,
Required: False ,
}
string ,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Actions_Get (updated)
Description Gets the action of alert rule.
Reference Link ¶

⚶ Changes

{
  "#id": "Actions_Get",
  "$responses": {
    "200": {
      "$properties": {
        "@added_7533212f15e04f1495283f2c380a5c64": {
          "#name": "etag",
          "Description": "ETag of the action.",
          "Required": false,
          "Type": "string"
        }
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
ruleId:
{
Description: Alert rule ID ,
Required: True ,
}
string ,
actionId:
{
Description: Action ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
etag:
{
Description: ETag of the action. ,
Required: False ,
}
string ,
properties:
{
Description: Action properties for get request ,
Required: False ,
}
{
workflowId:
{
Description: The name of the logic app's workflow. ,
Required: False ,
}
string ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Actions_CreateOrUpdate (updated)
Description Creates or updates the action of alert rule.
Reference Link ¶

⚶ Changes

{
  "#id": "Actions_CreateOrUpdate",
  "$responses": {
    "200": {
      "$properties": {
        "@added_f7d623521f9a4972a3a71155e38369d8": {
          "#name": "etag",
          "Description": "ETag of the action.",
          "Required": false,
          "Type": "string"
        }
      }
    },
    "201": {
      "$properties": {
        "@added_6817f61a2faf45eb9af33375f93d70d8": {
          "#name": "etag",
          "Description": "ETag of the action.",
          "Required": false,
          "Type": "string"
        }
      }
    }
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}/actions/{actionId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
ruleId:
{
Description: Alert rule ID ,
Required: True ,
}
string ,
actionId:
{
Description: Action ID ,
Required: True ,
}
string ,
action:
{
Description: The action ,
Required: True ,
}
{
properties:
{
Description: Action properties for put request ,
Required: False ,
}
{
triggerUri:
{
Description: Logic App Callback URL for this specific workflow. ,
Required: True ,
}
string ,
}
,
}
,
}

⚐ Response (200)

{
etag:
{
Description: ETag of the action. ,
Required: False ,
}
string ,
properties:
{
Description: Action properties for get request ,
Required: False ,
}
{
workflowId:
{
Description: The name of the logic app's workflow. ,
Required: False ,
}
string ,
}
,
}

⚐ Response (201)

{
etag:
{
Description: ETag of the action. ,
Required: False ,
}
string ,
properties:
{
Description: Action properties for get request ,
Required: False ,
}
{
workflowId:
{
Description: The name of the logic app's workflow. ,
Required: False ,
}
string ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_Get (updated)
Description Gets a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_Get",
  "Description": {
    "new": "Gets a given incident.",
    "old": "Gets an incident."
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
properties:
{
Description: Incident properties ,
Required: False ,
}
{
title:
{
Description: The title of the incident ,
Required: True ,
}
string ,
description:
{
Description: The description of the incident ,
Required: False ,
}
string ,
severity:
{
Description: The severity of the incident ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: True ,
}
enum ,
status:
{
Description: The status of the incident ,
Enum:
{
New: An active incident which isn't being handled currently ,
Active: An active incident which is being handled ,
Closed: A non-active incident ,
}
,
Required: True ,
}
enum ,
classification:
{
Description: The reason the incident was closed ,
Enum:
{
Undetermined: Incident classification was undetermined ,
TruePositive: Incident was true positive ,
BenignPositive: Incident was benign positive ,
FalsePositive: Incident was false positive ,
}
,
Required: False ,
}
enum ,
classificationReason:
{
Description: The classification reason the incident was closed with ,
Enum:
{
SuspiciousActivity: Classification reason was suspicious activity ,
SuspiciousButExpected: Classification reason was suspicious but expected ,
IncorrectAlertLogic: Classification reason was incorrect alert logic ,
InaccurateData: Classification reason was inaccurate data ,
}
,
Required: False ,
}
enum ,
classificationComment:
{
Description: Describes the reason the incident was closed ,
Required: False ,
}
string ,
owner:
{
Description: Describes a user that the incident is assigned to ,
Required: False ,
}
{
email:
{
Description: The email of the user the incident is assigned to. ,
Required: False ,
}
string ,
assignedTo:
{
Description: The name of the user the incident is assigned to. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user the incident is assigned to. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the user the incident is assigned to. ,
Required: False ,
}
string ,
ownerType:
{
Description: The type of the owner the incident is assigned to. ,
Enum:
{
Unknown: The incident owner type is unknown ,
User: The incident owner type is an AAD user ,
Group: The incident owner type is an AAD group ,
}
,
Required: False ,
}
enum ,
}
,
labels:
{
Description: List of labels relevant to this incident ,
Required: False ,
}
[
{
labelName:
{
Description: The name of the label ,
Required: True ,
}
string ,
labelType:
{
Description: The type of the label ,
Enum:
{
User: Label manually created by a user ,
AutoAssigned: Label automatically created by the system ,
}
,
Required: False ,
}
enum ,
}
,
]
,
firstActivityTimeUtc:
{
Description: The time of the first activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastActivityTimeUtc:
{
Description: The time of the last activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The last time the incident was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdTimeUtc:
{
Description: The time the incident was created ,
Format: date-time ,
Required: False ,
}
string ,
incidentNumber:
{
Description: A sequential number ,
Format: int32 ,
Required: False ,
}
integer ,
additionalData:
{
Description: Additional data on the incident ,
Required: False ,
}
{
alertsCount:
{
Description: The number of alerts in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
bookmarksCount:
{
Description: The number of bookmarks in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
commentsCount:
{
Description: The number of comments in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
alertProductNames:
{
Description: List of product names of alerts in the incident ,
Required: False ,
}
[
string ,
]
,
tactics:
{
Description: The tactics associated with incident ,
Required: False ,
}
[
string ,
]
,
techniques:
{
Description: The techniques associated with incident's tactics ,
Required: False ,
}
[
string ,
]
,
providerIncidentUrl:
{
Description: The provider incident url to the incident in Microsoft 365 Defender portal ,
Required: False ,
}
string ,
mergedIncidentNumber:
{
Description: The incident number of the incident that the current incident was merged into ,
Required: False ,
}
string ,
mergedIncidentUrl:
{
Description: The URL to the incident that the current incident was merged into ,
Required: False ,
}
string ,
}
,
relatedAnalyticRuleIds:
{
Description: List of resource ids of Analytic rules related to the incident ,
Required: False ,
}
[
string ,
]
,
incidentUrl:
{
Description: The deep-link url to the incident in Azure portal ,
Required: False ,
}
string ,
providerName:
{
Description: The name of the source provider that generated the incident ,
Required: False ,
}
string ,
providerIncidentId:
{
Description: The incident ID assigned by the incident provider ,
Required: False ,
}
string ,
teamInformation:
{
Description: Describes a team for the incident ,
Required: False ,
}
{
teamId:
{
Description: Team ID ,
Required: False ,
}
string ,
primaryChannelUrl:
{
Description: The primary channel URL of the team ,
Required: False ,
}
string ,
teamCreationTimeUtc:
{
Description: The time the team was created ,
Format: date-time ,
Required: False ,
}
string ,
name:
{
Description: The name of the team ,
Required: False ,
}
string ,
description:
{
Description: The description of the team ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_CreateOrUpdate (updated)
Description Creates or updates an incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_CreateOrUpdate",
  "Description": {
    "new": "Creates or updates an incident.",
    "old": "Creates or updates the incident."
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
incident:
{
Description: The incident ,
Required: True ,
}
{
properties:
{
Description: Incident properties ,
Required: False ,
}
{
title:
{
Description: The title of the incident ,
Required: True ,
}
string ,
description:
{
Description: The description of the incident ,
Required: False ,
}
string ,
severity:
{
Description: The severity of the incident ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: True ,
}
enum ,
status:
{
Description: The status of the incident ,
Enum:
{
New: An active incident which isn't being handled currently ,
Active: An active incident which is being handled ,
Closed: A non-active incident ,
}
,
Required: True ,
}
enum ,
classification:
{
Description: The reason the incident was closed ,
Enum:
{
Undetermined: Incident classification was undetermined ,
TruePositive: Incident was true positive ,
BenignPositive: Incident was benign positive ,
FalsePositive: Incident was false positive ,
}
,
Required: False ,
}
enum ,
classificationReason:
{
Description: The classification reason the incident was closed with ,
Enum:
{
SuspiciousActivity: Classification reason was suspicious activity ,
SuspiciousButExpected: Classification reason was suspicious but expected ,
IncorrectAlertLogic: Classification reason was incorrect alert logic ,
InaccurateData: Classification reason was inaccurate data ,
}
,
Required: False ,
}
enum ,
classificationComment:
{
Description: Describes the reason the incident was closed ,
Required: False ,
}
string ,
owner:
{
Description: Describes a user that the incident is assigned to ,
Required: False ,
}
{
email:
{
Description: The email of the user the incident is assigned to. ,
Required: False ,
}
string ,
assignedTo:
{
Description: The name of the user the incident is assigned to. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user the incident is assigned to. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the user the incident is assigned to. ,
Required: False ,
}
string ,
ownerType:
{
Description: The type of the owner the incident is assigned to. ,
Enum:
{
Unknown: The incident owner type is unknown ,
User: The incident owner type is an AAD user ,
Group: The incident owner type is an AAD group ,
}
,
Required: False ,
}
enum ,
}
,
labels:
{
Description: List of labels relevant to this incident ,
Required: False ,
}
[
{
labelName:
{
Description: The name of the label ,
Required: True ,
}
string ,
labelType:
{
Description: The type of the label ,
Enum:
{
User: Label manually created by a user ,
AutoAssigned: Label automatically created by the system ,
}
,
Required: False ,
}
enum ,
}
,
]
,
firstActivityTimeUtc:
{
Description: The time of the first activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastActivityTimeUtc:
{
Description: The time of the last activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The last time the incident was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdTimeUtc:
{
Description: The time the incident was created ,
Format: date-time ,
Required: False ,
}
string ,
incidentNumber:
{
Description: A sequential number ,
Format: int32 ,
Required: False ,
}
integer ,
additionalData:
{
Description: Additional data on the incident ,
Required: False ,
}
{
alertsCount:
{
Description: The number of alerts in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
bookmarksCount:
{
Description: The number of bookmarks in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
commentsCount:
{
Description: The number of comments in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
alertProductNames:
{
Description: List of product names of alerts in the incident ,
Required: False ,
}
[
string ,
]
,
tactics:
{
Description: The tactics associated with incident ,
Required: False ,
}
[
string ,
]
,
techniques:
{
Description: The techniques associated with incident's tactics ,
Required: False ,
}
[
string ,
]
,
providerIncidentUrl:
{
Description: The provider incident url to the incident in Microsoft 365 Defender portal ,
Required: False ,
}
string ,
mergedIncidentNumber:
{
Description: The incident number of the incident that the current incident was merged into ,
Required: False ,
}
string ,
mergedIncidentUrl:
{
Description: The URL to the incident that the current incident was merged into ,
Required: False ,
}
string ,
}
,
relatedAnalyticRuleIds:
{
Description: List of resource ids of Analytic rules related to the incident ,
Required: False ,
}
[
string ,
]
,
incidentUrl:
{
Description: The deep-link url to the incident in Azure portal ,
Required: False ,
}
string ,
providerName:
{
Description: The name of the source provider that generated the incident ,
Required: False ,
}
string ,
providerIncidentId:
{
Description: The incident ID assigned by the incident provider ,
Required: False ,
}
string ,
teamInformation:
{
Description: Describes a team for the incident ,
Required: False ,
}
{
teamId:
{
Description: Team ID ,
Required: False ,
}
string ,
primaryChannelUrl:
{
Description: The primary channel URL of the team ,
Required: False ,
}
string ,
teamCreationTimeUtc:
{
Description: The time the team was created ,
Format: date-time ,
Required: False ,
}
string ,
name:
{
Description: The name of the team ,
Required: False ,
}
string ,
description:
{
Description: The description of the team ,
Required: False ,
}
string ,
}
,
}
,
}
,
}

⚐ Response (200)

{
properties:
{
Description: Incident properties ,
Required: False ,
}
{
title:
{
Description: The title of the incident ,
Required: True ,
}
string ,
description:
{
Description: The description of the incident ,
Required: False ,
}
string ,
severity:
{
Description: The severity of the incident ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: True ,
}
enum ,
status:
{
Description: The status of the incident ,
Enum:
{
New: An active incident which isn't being handled currently ,
Active: An active incident which is being handled ,
Closed: A non-active incident ,
}
,
Required: True ,
}
enum ,
classification:
{
Description: The reason the incident was closed ,
Enum:
{
Undetermined: Incident classification was undetermined ,
TruePositive: Incident was true positive ,
BenignPositive: Incident was benign positive ,
FalsePositive: Incident was false positive ,
}
,
Required: False ,
}
enum ,
classificationReason:
{
Description: The classification reason the incident was closed with ,
Enum:
{
SuspiciousActivity: Classification reason was suspicious activity ,
SuspiciousButExpected: Classification reason was suspicious but expected ,
IncorrectAlertLogic: Classification reason was incorrect alert logic ,
InaccurateData: Classification reason was inaccurate data ,
}
,
Required: False ,
}
enum ,
classificationComment:
{
Description: Describes the reason the incident was closed ,
Required: False ,
}
string ,
owner:
{
Description: Describes a user that the incident is assigned to ,
Required: False ,
}
{
email:
{
Description: The email of the user the incident is assigned to. ,
Required: False ,
}
string ,
assignedTo:
{
Description: The name of the user the incident is assigned to. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user the incident is assigned to. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the user the incident is assigned to. ,
Required: False ,
}
string ,
ownerType:
{
Description: The type of the owner the incident is assigned to. ,
Enum:
{
Unknown: The incident owner type is unknown ,
User: The incident owner type is an AAD user ,
Group: The incident owner type is an AAD group ,
}
,
Required: False ,
}
enum ,
}
,
labels:
{
Description: List of labels relevant to this incident ,
Required: False ,
}
[
{
labelName:
{
Description: The name of the label ,
Required: True ,
}
string ,
labelType:
{
Description: The type of the label ,
Enum:
{
User: Label manually created by a user ,
AutoAssigned: Label automatically created by the system ,
}
,
Required: False ,
}
enum ,
}
,
]
,
firstActivityTimeUtc:
{
Description: The time of the first activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastActivityTimeUtc:
{
Description: The time of the last activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The last time the incident was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdTimeUtc:
{
Description: The time the incident was created ,
Format: date-time ,
Required: False ,
}
string ,
incidentNumber:
{
Description: A sequential number ,
Format: int32 ,
Required: False ,
}
integer ,
additionalData:
{
Description: Additional data on the incident ,
Required: False ,
}
{
alertsCount:
{
Description: The number of alerts in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
bookmarksCount:
{
Description: The number of bookmarks in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
commentsCount:
{
Description: The number of comments in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
alertProductNames:
{
Description: List of product names of alerts in the incident ,
Required: False ,
}
[
string ,
]
,
tactics:
{
Description: The tactics associated with incident ,
Required: False ,
}
[
string ,
]
,
techniques:
{
Description: The techniques associated with incident's tactics ,
Required: False ,
}
[
string ,
]
,
providerIncidentUrl:
{
Description: The provider incident url to the incident in Microsoft 365 Defender portal ,
Required: False ,
}
string ,
mergedIncidentNumber:
{
Description: The incident number of the incident that the current incident was merged into ,
Required: False ,
}
string ,
mergedIncidentUrl:
{
Description: The URL to the incident that the current incident was merged into ,
Required: False ,
}
string ,
}
,
relatedAnalyticRuleIds:
{
Description: List of resource ids of Analytic rules related to the incident ,
Required: False ,
}
[
string ,
]
,
incidentUrl:
{
Description: The deep-link url to the incident in Azure portal ,
Required: False ,
}
string ,
providerName:
{
Description: The name of the source provider that generated the incident ,
Required: False ,
}
string ,
providerIncidentId:
{
Description: The incident ID assigned by the incident provider ,
Required: False ,
}
string ,
teamInformation:
{
Description: Describes a team for the incident ,
Required: False ,
}
{
teamId:
{
Description: Team ID ,
Required: False ,
}
string ,
primaryChannelUrl:
{
Description: The primary channel URL of the team ,
Required: False ,
}
string ,
teamCreationTimeUtc:
{
Description: The time the team was created ,
Format: date-time ,
Required: False ,
}
string ,
name:
{
Description: The name of the team ,
Required: False ,
}
string ,
description:
{
Description: The description of the team ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (201)

{
properties:
{
Description: Incident properties ,
Required: False ,
}
{
title:
{
Description: The title of the incident ,
Required: True ,
}
string ,
description:
{
Description: The description of the incident ,
Required: False ,
}
string ,
severity:
{
Description: The severity of the incident ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: True ,
}
enum ,
status:
{
Description: The status of the incident ,
Enum:
{
New: An active incident which isn't being handled currently ,
Active: An active incident which is being handled ,
Closed: A non-active incident ,
}
,
Required: True ,
}
enum ,
classification:
{
Description: The reason the incident was closed ,
Enum:
{
Undetermined: Incident classification was undetermined ,
TruePositive: Incident was true positive ,
BenignPositive: Incident was benign positive ,
FalsePositive: Incident was false positive ,
}
,
Required: False ,
}
enum ,
classificationReason:
{
Description: The classification reason the incident was closed with ,
Enum:
{
SuspiciousActivity: Classification reason was suspicious activity ,
SuspiciousButExpected: Classification reason was suspicious but expected ,
IncorrectAlertLogic: Classification reason was incorrect alert logic ,
InaccurateData: Classification reason was inaccurate data ,
}
,
Required: False ,
}
enum ,
classificationComment:
{
Description: Describes the reason the incident was closed ,
Required: False ,
}
string ,
owner:
{
Description: Describes a user that the incident is assigned to ,
Required: False ,
}
{
email:
{
Description: The email of the user the incident is assigned to. ,
Required: False ,
}
string ,
assignedTo:
{
Description: The name of the user the incident is assigned to. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user the incident is assigned to. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the user the incident is assigned to. ,
Required: False ,
}
string ,
ownerType:
{
Description: The type of the owner the incident is assigned to. ,
Enum:
{
Unknown: The incident owner type is unknown ,
User: The incident owner type is an AAD user ,
Group: The incident owner type is an AAD group ,
}
,
Required: False ,
}
enum ,
}
,
labels:
{
Description: List of labels relevant to this incident ,
Required: False ,
}
[
{
labelName:
{
Description: The name of the label ,
Required: True ,
}
string ,
labelType:
{
Description: The type of the label ,
Enum:
{
User: Label manually created by a user ,
AutoAssigned: Label automatically created by the system ,
}
,
Required: False ,
}
enum ,
}
,
]
,
firstActivityTimeUtc:
{
Description: The time of the first activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastActivityTimeUtc:
{
Description: The time of the last activity in the incident ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The last time the incident was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdTimeUtc:
{
Description: The time the incident was created ,
Format: date-time ,
Required: False ,
}
string ,
incidentNumber:
{
Description: A sequential number ,
Format: int32 ,
Required: False ,
}
integer ,
additionalData:
{
Description: Additional data on the incident ,
Required: False ,
}
{
alertsCount:
{
Description: The number of alerts in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
bookmarksCount:
{
Description: The number of bookmarks in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
commentsCount:
{
Description: The number of comments in the incident ,
Format: int32 ,
Required: False ,
}
integer ,
alertProductNames:
{
Description: List of product names of alerts in the incident ,
Required: False ,
}
[
string ,
]
,
tactics:
{
Description: The tactics associated with incident ,
Required: False ,
}
[
string ,
]
,
techniques:
{
Description: The techniques associated with incident's tactics ,
Required: False ,
}
[
string ,
]
,
providerIncidentUrl:
{
Description: The provider incident url to the incident in Microsoft 365 Defender portal ,
Required: False ,
}
string ,
mergedIncidentNumber:
{
Description: The incident number of the incident that the current incident was merged into ,
Required: False ,
}
string ,
mergedIncidentUrl:
{
Description: The URL to the incident that the current incident was merged into ,
Required: False ,
}
string ,
}
,
relatedAnalyticRuleIds:
{
Description: List of resource ids of Analytic rules related to the incident ,
Required: False ,
}
[
string ,
]
,
incidentUrl:
{
Description: The deep-link url to the incident in Azure portal ,
Required: False ,
}
string ,
providerName:
{
Description: The name of the source provider that generated the incident ,
Required: False ,
}
string ,
providerIncidentId:
{
Description: The incident ID assigned by the incident provider ,
Required: False ,
}
string ,
teamInformation:
{
Description: Describes a team for the incident ,
Required: False ,
}
{
teamId:
{
Description: Team ID ,
Required: False ,
}
string ,
primaryChannelUrl:
{
Description: The primary channel URL of the team ,
Required: False ,
}
string ,
teamCreationTimeUtc:
{
Description: The time the team was created ,
Format: date-time ,
Required: False ,
}
string ,
name:
{
Description: The name of the team ,
Required: False ,
}
string ,
description:
{
Description: The description of the team ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_Delete (updated)
Description Deletes a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_Delete",
  "Description": {
    "new": "Deletes a given incident.",
    "old": "Delete the incident."
  }
}

⚼ Request

DELETE:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{}

⚐ Response (204)

{}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_ListAlerts (updated)
Description Gets all alerts for an incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_ListAlerts",
  "Description": {
    "new": "Gets all alerts for an incident.",
    "old": "Gets all incident alerts."
  }
}

⚼ Request

POST:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
value:
{
Description: Array of incident alerts. ,
Required: True ,
}
[
{
properties:
{
Description: SecurityAlert entity properties ,
Required: False ,
}
{
alertDisplayName:
{
Description: The display name of the alert. ,
Required: False ,
}
string ,
alertType:
{
Description: The type name of the alert. ,
Required: False ,
}
string ,
compromisedEntity:
{
Description: Display name of the main entity being reported on. ,
Required: False ,
}
string ,
confidenceLevel:
{
Description: The confidence level of this alert. ,
Enum:
{
Unknown: Unknown confidence, the is the default value ,
Low: Low confidence, meaning we have some doubts this is indeed malicious or part of an attack ,
High: High confidence that the alert is true positive malicious ,
}
,
Required: False ,
}
enum ,
confidenceReasons:
{
Description: The confidence reasons ,
Required: False ,
}
[
{
reason:
{
Description: The reason's description ,
Required: False ,
}
string ,
reasonType:
{
Description: The type (category) of the reason ,
Required: False ,
}
string ,
}
,
]
,
confidenceScore:
{
Description: The confidence score of the alert. ,
Format: double ,
Required: False ,
}
number ,
confidenceScoreStatus:
{
Description: The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. ,
Enum:
{
NotApplicable: Score will not be calculated for this alert as it is not supported by virtual analyst ,
InProcess: No score was set yet and calculation is in progress ,
NotFinal: Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data ,
Final: Final score was calculated and available ,
}
,
Required: False ,
}
enum ,
description:
{
Description: Alert description. ,
Required: False ,
}
string ,
endTimeUtc:
{
Description: The impact end time of the alert (the time of the last event contributing to the alert). ,
Format: date-time ,
Required: False ,
}
string ,
intent:
{
Description: Holds the alert intent stage(s) mapping for this alert. ,
Enum:
{
Unknown: The default value. ,
Probing: Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in. ,
Exploitation: Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage. ,
Persistence: Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access. ,
PrivilegeEscalation: Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege. ,
DefenseEvasion: Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. ,
CredentialAccess: Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. ,
Discovery: Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must navigate themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. ,
LateralMovement: Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect. ,
Execution: The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network. ,
Collection: Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. ,
Exfiltration: Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. ,
CommandAndControl: The command and control tactic represents how adversaries communicate with systems under their control within a target network. ,
Impact: The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others. ,
}
,
Required: False ,
}
enum ,
providerAlertId:
{
Description: The identifier of the alert inside the product which generated the alert. ,
Required: False ,
}
string ,
processingEndTime:
{
Description: The time the alert was made available for consumption. ,
Format: date-time ,
Required: False ,
}
string ,
productComponentName:
{
Description: The name of a component inside the product which generated the alert. ,
Required: False ,
}
string ,
productName:
{
Description: The name of the product which published this alert. ,
Required: False ,
}
string ,
productVersion:
{
Description: The version of the product generating the alert. ,
Required: False ,
}
string ,
remediationSteps:
{
Description: Manual action items to take to remediate the alert. ,
Required: False ,
}
[
string ,
]
,
severity:
{
Description: The severity of the alert ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: False ,
}
enum ,
startTimeUtc:
{
Description: The impact start time of the alert (the time of the first event contributing to the alert). ,
Format: date-time ,
Required: False ,
}
string ,
status:
{
Description: The lifecycle status of the alert. ,
Enum:
{
Unknown: Unknown value ,
New: New alert ,
Resolved: Alert closed after handling ,
Dismissed: Alert dismissed as false positive ,
InProgress: Alert is being handled ,
}
,
Required: False ,
}
enum ,
systemAlertId:
{
Description: Holds the product identifier of the alert for the product. ,
Required: False ,
}
string ,
tactics:
{
Description: The tactics of the alert ,
Required: False ,
}
[
string ,
]
,
timeGenerated:
{
Description: The time the alert was generated. ,
Format: date-time ,
Required: False ,
}
string ,
vendorName:
{
Description: The name of the vendor that raise the alert. ,
Required: False ,
}
string ,
alertLink:
{
Description: The uri link of the alert. ,
Required: False ,
}
string ,
resourceIdentifiers:
{
Description: The list of resource identifiers of the alert. ,
Required: False ,
}
[
object ,
]
,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_ListBookmarks (updated)
Description Gets all bookmarks for an incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_ListBookmarks",
  "Description": {
    "new": "Gets all bookmarks for an incident.",
    "old": "Gets all incident bookmarks."
  }
}

⚼ Request

POST:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/bookmarks
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
value:
{
Description: Array of incident bookmarks. ,
Required: True ,
}
[
{
properties:
{
Description: HuntingBookmark entity properties ,
Required: False ,
}
{
created:
{
Description: The time the bookmark was created ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the bookmark ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
displayName:
{
Description: The display name of the bookmark ,
Required: True ,
}
string ,
eventTime:
{
Description: The time of the event ,
Format: date-time ,
Required: False ,
}
string ,
labels:
{
Description: List of labels relevant to this bookmark ,
Required: False ,
}
[
string ,
]
,
notes:
{
Description: The notes of the bookmark ,
Required: False ,
}
string ,
query:
{
Description: The query of the bookmark. ,
Required: True ,
}
string ,
queryResult:
{
Description: The query result of the bookmark. ,
Required: False ,
}
string ,
updated:
{
Description: The last time the bookmark was updated ,
Format: date-time ,
Required: False ,
}
string ,
updatedBy:
{
Description: Describes a user that updated the bookmark ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
incidentInfo:
{
Description: Describes an incident that relates to bookmark ,
Required: False ,
}
{
incidentId:
{
Description: Incident Id ,
Required: False ,
}
string ,
severity:
{
Description: The severity of the incident ,
Enum:
{
High: High severity ,
Medium: Medium severity ,
Low: Low severity ,
Informational: Informational severity ,
}
,
Required: False ,
}
enum ,
title:
{
Description: The title of the incident ,
Required: False ,
}
string ,
relationName:
{
Description: Relation Name ,
Required: False ,
}
string ,
}
,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentComments_List (updated)
Description Gets all comments for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentComments_List",
  "Description": {
    "new": "Gets all comments for a given incident.",
    "old": "Gets all incident comments."
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
$filter:
{
Description: Filters the results, based on a Boolean condition. Optional. ,
Required: False ,
}
string ,
$orderby:
{
Description: Sorts the results. Optional. ,
Required: False ,
}
string ,
$top:
{
Description: Returns only the first n results. Optional. ,
Format: int32 ,
Required: False ,
}
integer ,
$skipToken:
{
Description: Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. ,
Required: False ,
}
string ,
}

⚐ Response (200)

{
value:
{
Description: Array of comments. ,
Required: True ,
}
[
{
properties:
{
Description: Incident comment properties ,
Required: False ,
}
{
message:
{
Description: The comment message ,
Required: True ,
}
string ,
createdTimeUtc:
{
Description: The time the comment was created ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The time the comment was updated ,
Format: date-time ,
Required: False ,
}
string ,
author:
{
Description: Describes the client that created the comment ,
Required: False ,
}
{
email:
{
Description: The email of the client. ,
Required: False ,
}
string ,
name:
{
Description: The name of the client. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the client. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the client. ,
Required: False ,
}
string ,
}
,
}
,
}
,
]
,
nextLink:
{
Description: URL to fetch the next set of comments. ,
Required: False ,
}
string ,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentComments_CreateOrUpdate (updated)
Description Creates or updates a comment for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentComments_CreateOrUpdate",
  "Description": {
    "new": "Creates or updates a comment for a given incident.",
    "old": "Creates or updates the incident comment."
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
incidentCommentId:
{
Description: Incident comment ID ,
Required: True ,
}
string ,
incidentComment:
{
Description: The incident comment ,
Required: True ,
}
{
properties:
{
Description: Incident comment properties ,
Required: False ,
}
{
message:
{
Description: The comment message ,
Required: True ,
}
string ,
createdTimeUtc:
{
Description: The time the comment was created ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The time the comment was updated ,
Format: date-time ,
Required: False ,
}
string ,
author:
{
Description: Describes the client that created the comment ,
Required: False ,
}
{
email:
{
Description: The email of the client. ,
Required: False ,
}
string ,
name:
{
Description: The name of the client. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the client. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the client. ,
Required: False ,
}
string ,
}
,
}
,
}
,
}

⚐ Response (200)

{
properties:
{
Description: Incident comment properties ,
Required: False ,
}
{
message:
{
Description: The comment message ,
Required: True ,
}
string ,
createdTimeUtc:
{
Description: The time the comment was created ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The time the comment was updated ,
Format: date-time ,
Required: False ,
}
string ,
author:
{
Description: Describes the client that created the comment ,
Required: False ,
}
{
email:
{
Description: The email of the client. ,
Required: False ,
}
string ,
name:
{
Description: The name of the client. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the client. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the client. ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (201)

{
properties:
{
Description: Incident comment properties ,
Required: False ,
}
{
message:
{
Description: The comment message ,
Required: True ,
}
string ,
createdTimeUtc:
{
Description: The time the comment was created ,
Format: date-time ,
Required: False ,
}
string ,
lastModifiedTimeUtc:
{
Description: The time the comment was updated ,
Format: date-time ,
Required: False ,
}
string ,
author:
{
Description: Describes the client that created the comment ,
Required: False ,
}
{
email:
{
Description: The email of the client. ,
Required: False ,
}
string ,
name:
{
Description: The name of the client. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the client. ,
Format: uuid ,
Required: False ,
}
string ,
userPrincipalName:
{
Description: The user principal name of the client. ,
Required: False ,
}
string ,
}
,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentComments_Delete (updated)
Description Deletes a comment for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentComments_Delete",
  "Description": {
    "new": "Deletes a comment for a given incident.",
    "old": "Delete the incident comment."
  }
}

⚼ Request

DELETE:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/comments/{incidentCommentId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
incidentCommentId:
{
Description: Incident comment ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{}

⚐ Response (204)

{}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Incidents_ListEntities (updated)
Description Gets all entities for an incident.
Reference Link ¶

⚶ Changes

{
  "#id": "Incidents_ListEntities",
  "Description": {
    "new": "Gets all entities for an incident.",
    "old": "Gets all incident related entities."
  }
}

⚼ Request

POST:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
entities:
{
Description: Array of the incident related entities. ,
Required: False ,
}
[
{
kind:
{
Description: The kind of the entity. ,
Enum:
{
Account: Entity represents account in the system. ,
Host: Entity represents host in the system. ,
File: Entity represents file in the system. ,
AzureResource: Entity represents azure resource in the system. ,
CloudApplication: Entity represents cloud application in the system. ,
DnsResolution: Entity represents dns resolution in the system. ,
FileHash: Entity represents file hash in the system. ,
Ip: Entity represents ip in the system. ,
Malware: Entity represents malware in the system. ,
Process: Entity represents process in the system. ,
RegistryKey: Entity represents registry key in the system. ,
RegistryValue: Entity represents registry value in the system. ,
SecurityGroup: Entity represents security group in the system. ,
Url: Entity represents url in the system. ,
IoTDevice: Entity represents IoT device in the system. ,
SecurityAlert: Entity represents security alert in the system. ,
Bookmark: Entity represents bookmark in the system. ,
Mailbox: Entity represents mailbox in the system. ,
MailCluster: Entity represents mail cluster in the system. ,
MailMessage: Entity represents mail message in the system. ,
SubmissionMail: Entity represents submission mail in the system. ,
Nic: Entity represents network interface in the system. ,
}
,
Required: True ,
}
enum ,
}
,
]
,
metaData:
{
Description: The metadata from the incident related entities results. ,
Required: False ,
}
[
{
entityKind:
{
Description: The kind of the aggregated entity. ,
Enum:
{
Account: Entity represents account in the system. ,
Host: Entity represents host in the system. ,
File: Entity represents file in the system. ,
AzureResource: Entity represents azure resource in the system. ,
CloudApplication: Entity represents cloud application in the system. ,
DnsResolution: Entity represents dns resolution in the system. ,
FileHash: Entity represents file hash in the system. ,
Ip: Entity represents ip in the system. ,
Malware: Entity represents malware in the system. ,
Process: Entity represents process in the system. ,
RegistryKey: Entity represents registry key in the system. ,
RegistryValue: Entity represents registry value in the system. ,
SecurityGroup: Entity represents security group in the system. ,
Url: Entity represents url in the system. ,
IoTDevice: Entity represents IoT device in the system. ,
SecurityAlert: Entity represents security alert in the system. ,
Bookmark: Entity represents bookmark in the system. ,
Mailbox: Entity represents mailbox in the system. ,
MailCluster: Entity represents mail cluster in the system. ,
MailMessage: Entity represents mail message in the system. ,
SubmissionMail: Entity represents submission mail in the system. ,
Nic: Entity represents network interface in the system. ,
}
,
Required: True ,
}
enum ,
count:
{
Description: Total number of aggregations of the given kind in the incident related entities result. ,
Format: int32 ,
Required: True ,
}
integer ,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentRelations_List (updated)
Description Gets all relations for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentRelations_List",
  "Description": {
    "new": "Gets all relations for a given incident.",
    "old": "Gets all incident relations."
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
$filter:
{
Description: Filters the results, based on a Boolean condition. Optional. ,
Required: False ,
}
string ,
$orderby:
{
Description: Sorts the results. Optional. ,
Required: False ,
}
string ,
$top:
{
Description: Returns only the first n results. Optional. ,
Format: int32 ,
Required: False ,
}
integer ,
$skipToken:
{
Description: Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. ,
Required: False ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of relations. ,
Required: False ,
}
string ,
value:
{
Description: Array of relations. ,
Required: True ,
}
[
{
properties:
{
Description: Relation properties ,
Required: False ,
}
{
relatedResourceId:
{
Description: The resource ID of the related resource ,
Required: True ,
}
string ,
relatedResourceName:
{
Description: The name of the related resource ,
Required: False ,
}
string ,
relatedResourceType:
{
Description: The resource type of the related resource ,
Required: False ,
}
string ,
relatedResourceKind:
{
Description: The resource kind of the related resource ,
Required: False ,
}
string ,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentRelations_Get (updated)
Description Gets a relation for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentRelations_Get",
  "Description": {
    "new": "Gets a relation for a given incident.",
    "old": "Gets an incident relation."
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
relationName:
{
Description: Relation Name ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
properties:
{
Description: Relation properties ,
Required: False ,
}
{
relatedResourceId:
{
Description: The resource ID of the related resource ,
Required: True ,
}
string ,
relatedResourceName:
{
Description: The name of the related resource ,
Required: False ,
}
string ,
relatedResourceType:
{
Description: The resource type of the related resource ,
Required: False ,
}
string ,
relatedResourceKind:
{
Description: The resource kind of the related resource ,
Required: False ,
}
string ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
IncidentRelations_Delete (updated)
Description Deletes a relation for a given incident.
Reference Link ¶

⚶ Changes

{
  "#id": "IncidentRelations_Delete",
  "Description": {
    "new": "Deletes a relation for a given incident.",
    "old": "Delete the incident relation."
  }
}

⚼ Request

DELETE:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations/{relationName}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
incidentId:
{
Description: Incident ID ,
Required: True ,
}
string ,
relationName:
{
Description: Relation Name ,
Required: True ,
}
string ,
}

⚐ Response (200)

{}

⚐ Response (204)

{}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Watchlists_List (updated)
Description Get all watchlists, without watchlist items.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_List",
  "Description": {
    "new": "Get all watchlists, without watchlist items.",
    "old": "Gets all watchlists, without watchlist items."
  },
  "$responses": {
    "200": {
      "$properties": {
        "value": {
          "$properties": {
            "properties": [
              {
                "#name": "sourceType",
                "Enum": {
                  "new": [
                    [
                      "Local",
                      "The source from local file."
                    ],
                    [
                      "AzureStorage",
                      "The source from Azure storage."
                    ]
                  ],
                  "old": [
                    [
                      "Local",
                      ""
                    ],
                    [
                      "AzureStorage",
                      ""
                    ]
                  ]
                }
              },
              {
                "#name": "contentType",
                "Description": {
                  "new": "The content type of the raw content. Example : text/csv or text/tsv",
                  "old": "The content type of the raw content. Example : text/csv or text/tsv "
                }
              },
              {
                "#name": "uploadStatus",
                "Description": {
                  "new": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted",
                  "old": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"
                }
              },
              {
                "#name": "provisioningState",
                "Enum": {
                  "new": [
                    [
                      "New",
                      "The New provisioning state."
                    ],
                    [
                      "InProgress",
                      "The InProgress provisioning state."
                    ],
                    [
                      "Uploading",
                      "The Uploading provisioning state."
                    ],
                    [
                      "Deleting",
                      "The Deleting provisioning state."
                    ],
                    [
                      "Succeeded",
                      "The Succeeded provisioning state."
                    ],
                    [
                      "Failed",
                      "The Failed provisioning state."
                    ],
                    [
                      "Canceled",
                      "The Canceled provisioning state."
                    ]
                  ],
                  "old": [
                    [
                      "New",
                      ""
                    ],
                    [
                      "InProgress",
                      ""
                    ],
                    [
                      "Uploading",
                      ""
                    ],
                    [
                      "Deleting",
                      ""
                    ],
                    [
                      "Succeeded",
                      ""
                    ],
                    [
                      "Failed",
                      ""
                    ],
                    [
                      "Canceled",
                      ""
                    ]
                  ]
                }
              }
            ]
          }
        }
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
$skipToken:
{
Description: Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. ,
Required: False ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of watchlists. ,
Required: False ,
}
string ,
value:
{
Description: Array of watchlist. ,
Required: True ,
}
[
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: The source from local file. ,
AzureStorage: The source from Azure storage. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
provisioningState:
{
Description: Describes provisioning state ,
Enum:
{
New: The New provisioning state. ,
InProgress: The InProgress provisioning state. ,
Uploading: The Uploading provisioning state. ,
Deleting: The Deleting provisioning state. ,
Succeeded: The Succeeded provisioning state. ,
Failed: The Failed provisioning state. ,
Canceled: The Canceled provisioning state. ,
}
,
Required: False ,
}
enum ,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Watchlists_Get (updated)
Description Get a watchlist, without its watchlist items.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_Get",
  "Description": {
    "new": "Get a watchlist, without its watchlist items.",
    "old": "Gets a watchlist, without its watchlist items."
  },
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    }
  ],
  "$responses": {
    "200": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  "The source from local file."
                ],
                [
                  "AzureStorage",
                  "The source from Azure storage."
                ]
              ],
              "old": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ]
            }
          },
          {
            "#name": "contentType",
            "Description": {
              "new": "The content type of the raw content. Example : text/csv or text/tsv",
              "old": "The content type of the raw content. Example : text/csv or text/tsv "
            }
          },
          {
            "#name": "uploadStatus",
            "Description": {
              "new": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted",
              "old": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"
            }
          },
          {
            "#name": "provisioningState",
            "Enum": {
              "new": [
                [
                  "New",
                  "The New provisioning state."
                ],
                [
                  "InProgress",
                  "The InProgress provisioning state."
                ],
                [
                  "Uploading",
                  "The Uploading provisioning state."
                ],
                [
                  "Deleting",
                  "The Deleting provisioning state."
                ],
                [
                  "Succeeded",
                  "The Succeeded provisioning state."
                ],
                [
                  "Failed",
                  "The Failed provisioning state."
                ],
                [
                  "Canceled",
                  "The Canceled provisioning state."
                ]
              ],
              "old": [
                [
                  "New",
                  ""
                ],
                [
                  "InProgress",
                  ""
                ],
                [
                  "Uploading",
                  ""
                ],
                [
                  "Deleting",
                  ""
                ],
                [
                  "Succeeded",
                  ""
                ],
                [
                  "Failed",
                  ""
                ],
                [
                  "Canceled",
                  ""
                ]
              ]
            }
          }
        ]
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: The source from local file. ,
AzureStorage: The source from Azure storage. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
provisioningState:
{
Description: Describes provisioning state ,
Enum:
{
New: The New provisioning state. ,
InProgress: The InProgress provisioning state. ,
Uploading: The Uploading provisioning state. ,
Deleting: The Deleting provisioning state. ,
Succeeded: The Succeeded provisioning state. ,
Failed: The Failed provisioning state. ,
Canceled: The Canceled provisioning state. ,
}
,
Required: False ,
}
enum ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
Watchlists_Delete (updated)
Description Delete a watchlist.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_Delete",
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    }
  ]
}

⚼ Request

DELETE:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
}

⚐ Response (202)

{
azure-asyncoperation:
{
Description: Contains the status URL on which clients are expected to poll the status of the delete operation. ,
}
string ,
location:
{
Description: Location URL to poll for result. ,
}
string ,
}

⚐ Response (204)

{}

⚐ Response (default)

{
error:
{
Description: The error object. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
target:
{
Description: The error target. ,
Required: False ,
}
string ,
details:
{
Description: The error details. ,
Required: False ,
}
[
string ,
]
,
additionalInfo:
{
Description: The error additional info. ,
Required: False ,
}
[
{
type:
{
Description: The additional info type. ,
Required: False ,
}
string ,
info:
{
Description: The additional info. ,
Required: False ,
}
object ,
}
,
]
,
}
,
}
Watchlists_CreateOrUpdate (updated)
Description Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties.
Reference Link ¶

⚶ Changes

{
  "#id": "Watchlists_CreateOrUpdate",
  "Description": {
    "new": "Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with rawContent and contentType properties.",
    "old": "Create or update a Watchlist and its Watchlist Items (bulk creation, e.g. through text/csv content type). To create a Watchlist and its Items, we should call this endpoint with either rawContent or a valid SAR URI and contentType properties. The rawContent is mainly used for small watchlist (content size below 3.8 MB). The SAS URI enables the creation of large watchlist, where the content size can go up to 500 MB. The status of processing such large file can be polled through the URL returned in Azure-AsyncOperation header."
  },
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    },
    {
      "watchlist": {
        "$properties": {
          "properties": [
            {
              "#name": "sourceType",
              "Enum": {
                "new": [
                  [
                    "Local",
                    "The source from local file."
                  ],
                  [
                    "AzureStorage",
                    "The source from Azure storage."
                  ]
                ],
                "old": [
                  [
                    "Local",
                    ""
                  ],
                  [
                    "AzureStorage",
                    ""
                  ]
                ]
              }
            },
            {
              "#name": "contentType",
              "Description": {
                "new": "The content type of the raw content. Example : text/csv or text/tsv",
                "old": "The content type of the raw content. Example : text/csv or text/tsv "
              }
            },
            {
              "#name": "uploadStatus",
              "Description": {
                "new": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted",
                "old": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"
              }
            },
            {
              "#name": "provisioningState",
              "Enum": {
                "new": [
                  [
                    "New",
                    "The New provisioning state."
                  ],
                  [
                    "InProgress",
                    "The InProgress provisioning state."
                  ],
                  [
                    "Uploading",
                    "The Uploading provisioning state."
                  ],
                  [
                    "Deleting",
                    "The Deleting provisioning state."
                  ],
                  [
                    "Succeeded",
                    "The Succeeded provisioning state."
                  ],
                  [
                    "Failed",
                    "The Failed provisioning state."
                  ],
                  [
                    "Canceled",
                    "The Canceled provisioning state."
                  ]
                ],
                "old": [
                  [
                    "New",
                    ""
                  ],
                  [
                    "InProgress",
                    ""
                  ],
                  [
                    "Uploading",
                    ""
                  ],
                  [
                    "Deleting",
                    ""
                  ],
                  [
                    "Succeeded",
                    ""
                  ],
                  [
                    "Failed",
                    ""
                  ],
                  [
                    "Canceled",
                    ""
                  ]
                ]
              }
            }
          ]
        }
      }
    }
  ],
  "$responses": {
    "200": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  "The source from local file."
                ],
                [
                  "AzureStorage",
                  "The source from Azure storage."
                ]
              ],
              "old": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ]
            }
          },
          {
            "#name": "contentType",
            "Description": {
              "new": "The content type of the raw content. Example : text/csv or text/tsv",
              "old": "The content type of the raw content. Example : text/csv or text/tsv "
            }
          },
          {
            "#name": "uploadStatus",
            "Description": {
              "new": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted",
              "old": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"
            }
          },
          {
            "#name": "provisioningState",
            "Enum": {
              "new": [
                [
                  "New",
                  "The New provisioning state."
                ],
                [
                  "InProgress",
                  "The InProgress provisioning state."
                ],
                [
                  "Uploading",
                  "The Uploading provisioning state."
                ],
                [
                  "Deleting",
                  "The Deleting provisioning state."
                ],
                [
                  "Succeeded",
                  "The Succeeded provisioning state."
                ],
                [
                  "Failed",
                  "The Failed provisioning state."
                ],
                [
                  "Canceled",
                  "The Canceled provisioning state."
                ]
              ],
              "old": [
                [
                  "New",
                  ""
                ],
                [
                  "InProgress",
                  ""
                ],
                [
                  "Uploading",
                  ""
                ],
                [
                  "Deleting",
                  ""
                ],
                [
                  "Succeeded",
                  ""
                ],
                [
                  "Failed",
                  ""
                ],
                [
                  "Canceled",
                  ""
                ]
              ]
            }
          }
        ]
      }
    },
    "201": {
      "$properties": {
        "properties": [
          {
            "#name": "sourceType",
            "Enum": {
              "new": [
                [
                  "Local",
                  "The source from local file."
                ],
                [
                  "AzureStorage",
                  "The source from Azure storage."
                ]
              ],
              "old": [
                [
                  "Local",
                  ""
                ],
                [
                  "AzureStorage",
                  ""
                ]
              ]
            }
          },
          {
            "#name": "contentType",
            "Description": {
              "new": "The content type of the raw content. Example : text/csv or text/tsv",
              "old": "The content type of the raw content. Example : text/csv or text/tsv "
            }
          },
          {
            "#name": "uploadStatus",
            "Description": {
              "new": "The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted",
              "old": "The status of the Watchlist upload : New, InProgress or Complete. Pls note : When a Watchlist upload status is equal to InProgress, the Watchlist cannot be deleted"
            }
          },
          {
            "#name": "provisioningState",
            "Enum": {
              "new": [
                [
                  "New",
                  "The New provisioning state."
                ],
                [
                  "InProgress",
                  "The InProgress provisioning state."
                ],
                [
                  "Uploading",
                  "The Uploading provisioning state."
                ],
                [
                  "Deleting",
                  "The Deleting provisioning state."
                ],
                [
                  "Succeeded",
                  "The Succeeded provisioning state."
                ],
                [
                  "Failed",
                  "The Failed provisioning state."
                ],
                [
                  "Canceled",
                  "The Canceled provisioning state."
                ]
              ],
              "old": [
                [
                  "New",
                  ""
                ],
                [
                  "InProgress",
                  ""
                ],
                [
                  "Uploading",
                  ""
                ],
                [
                  "Deleting",
                  ""
                ],
                [
                  "Succeeded",
                  ""
                ],
                [
                  "Failed",
                  ""
                ],
                [
                  "Canceled",
                  ""
                ]
              ]
            }
          }
        ]
      }
    }
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
watchlist:
{
Description: The watchlist ,
Required: True ,
}
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: The source from local file. ,
AzureStorage: The source from Azure storage. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
provisioningState:
{
Description: Describes provisioning state ,
Enum:
{
New: The New provisioning state. ,
InProgress: The InProgress provisioning state. ,
Uploading: The Uploading provisioning state. ,
Deleting: The Deleting provisioning state. ,
Succeeded: The Succeeded provisioning state. ,
Failed: The Failed provisioning state. ,
Canceled: The Canceled provisioning state. ,
}
,
Required: False ,
}
enum ,
}
,
}
,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: The source from local file. ,
AzureStorage: The source from Azure storage. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
provisioningState:
{
Description: Describes provisioning state ,
Enum:
{
New: The New provisioning state. ,
InProgress: The InProgress provisioning state. ,
Uploading: The Uploading provisioning state. ,
Deleting: The Deleting provisioning state. ,
Succeeded: The Succeeded provisioning state. ,
Failed: The Failed provisioning state. ,
Canceled: The Canceled provisioning state. ,
}
,
Required: False ,
}
enum ,
}
,
}

⚐ Response (201)

{
$headers:
{
azure-asyncoperation:
{
Description: Contains the status URL on which clients are expected to poll the status of the operation. ,
}
string ,
}
,
$schema:
{
Description: Represents a Watchlist in Azure Security Insights. ,
}
{
properties:
{
Description: Watchlist properties ,
Required: False ,
}
{
watchlistId:
{
Description: The id (a Guid) of the watchlist ,
Required: False ,
}
string ,
displayName:
{
Description: The display name of the watchlist ,
Required: True ,
}
string ,
provider:
{
Description: The provider of the watchlist ,
Required: True ,
}
string ,
source:
{
Description: The filename of the watchlist, called 'source' ,
Required: False ,
}
string ,
sourceType:
{
Description: The sourceType of the watchlist ,
Enum:
{
Local: The source from local file. ,
AzureStorage: The source from Azure storage. ,
}
,
Required: False ,
}
enum ,
created:
{
Description: The time the watchlist was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
description:
{
Description: A description of the watchlist ,
Required: False ,
}
string ,
watchlistType:
{
Description: The type of the watchlist ,
Required: False ,
}
string ,
watchlistAlias:
{
Description: The alias of the watchlist ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist is deleted or not ,
Required: False ,
}
boolean ,
labels:
{
Description: List of labels relevant to this watchlist ,
Required: False ,
}
[
string ,
]
,
defaultDuration:
{
Description: The default duration of a watchlist (in ISO 8601 duration format) ,
Format: duration ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId where the watchlist belongs to ,
Required: False ,
}
string ,
numberOfLinesToSkip:
{
Description: The number of lines in a csv/tsv content to skip before the header ,
Format: int32 ,
Required: False ,
}
integer ,
rawContent:
{
Description: The raw content that represents to watchlist items to create. In case of csv/tsv content type, it's the content of the file that will parsed by the endpoint ,
Required: False ,
}
string ,
itemsSearchKey:
{
Description: The search key is used to optimize query performance when using watchlists for joins with other data. For example, enable a column with IP addresses to be the designated SearchKey field, then use this field as the key field when joining to other event data by IP address. ,
Required: True ,
}
string ,
contentType:
{
Description: The content type of the raw content. Example : text/csv or text/tsv ,
Required: False ,
}
string ,
uploadStatus:
{
Description: The status of the Watchlist upload : New, InProgress or Complete. **Note** : When a Watchlist upload status is InProgress, the Watchlist cannot be deleted ,
Required: False ,
}
string ,
provisioningState:
{
Description: Describes provisioning state ,
Enum:
{
New: The New provisioning state. ,
InProgress: The InProgress provisioning state. ,
Uploading: The Uploading provisioning state. ,
Deleting: The Deleting provisioning state. ,
Succeeded: The Succeeded provisioning state. ,
Failed: The Failed provisioning state. ,
Canceled: The Canceled provisioning state. ,
}
,
Required: False ,
}
enum ,
}
,
}
,
}

⚐ Response (default)

{
error:
{
Description: The error object. ,
Required: False ,
}
{
code:
{
Description: The error code. ,
Required: False ,
}
string ,
message:
{
Description: The error message. ,
Required: False ,
}
string ,
target:
{
Description: The error target. ,
Required: False ,
}
string ,
details:
{
Description: The error details. ,
Required: False ,
}
[
string ,
]
,
additionalInfo:
{
Description: The error additional info. ,
Required: False ,
}
[
{
type:
{
Description: The additional info type. ,
Required: False ,
}
string ,
info:
{
Description: The additional info. ,
Required: False ,
}
object ,
}
,
]
,
}
,
}
WatchlistItems_List (updated)
Description Get all watchlist Items.
Reference Link ¶

⚶ Changes

{
  "#id": "WatchlistItems_List",
  "Description": {
    "new": "Get all watchlist Items.",
    "old": "Gets all watchlist Items."
  },
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    }
  ],
  "$responses": {
    "200": {
      "$properties": [
        {
          "#name": "nextLink",
          "Description": {
            "new": "URL to fetch the next set of watchlist items.",
            "old": "URL to fetch the next set of watchlist item."
          }
        },
        {
          "value": {
            "Description": {
              "new": "Represents a Watchlist Item in Azure Security Insights.",
              "old": "Represents a Watchlist item in Azure Security Insights."
            }
          }
        }
      ]
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
$skipToken:
{
Description: Skiptoken is only used if a previous operation returned a partial result. If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls. Optional. ,
Required: False ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of watchlist items. ,
Required: False ,
}
string ,
value:
{
Description: Array of watchlist items. ,
Required: True ,
}
[
{
properties:
{
Description: Watchlist Item properties ,
Required: False ,
}
{
watchlistItemType:
{
Description: The type of the watchlist item ,
Required: False ,
}
string ,
watchlistItemId:
{
Description: The id (a Guid) of the watchlist item ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId to which the watchlist item belongs to ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist item is deleted or not ,
Required: False ,
}
boolean ,
created:
{
Description: The time the watchlist item was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist item was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
itemsKeyValue:
{
Description: key-value pairs for a watchlist item ,
Required: True ,
}
object ,
entityMapping:
{
Description: key-value pairs for a watchlist item entity mapping ,
Required: False ,
}
object ,
}
,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
WatchlistItems_Get (updated)
Description Get a watchlist item.
Reference Link ¶

⚶ Changes

{
  "#id": "WatchlistItems_Get",
  "Description": {
    "new": "Get a watchlist item.",
    "old": "Gets a watchlist, without its watchlist items."
  },
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    },
    {
      "#name": "watchlistItemId",
      "Description": {
        "new": "The watchlist item id (GUID)",
        "old": "Watchlist Item Id (GUID)"
      }
    }
  ],
  "$responses": {
    "200": {
      "Description": {
        "new": "Represents a Watchlist Item in Azure Security Insights.",
        "old": "Represents a Watchlist item in Azure Security Insights."
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
watchlistItemId:
{
Description: The watchlist item id (GUID) ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist Item properties ,
Required: False ,
}
{
watchlistItemType:
{
Description: The type of the watchlist item ,
Required: False ,
}
string ,
watchlistItemId:
{
Description: The id (a Guid) of the watchlist item ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId to which the watchlist item belongs to ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist item is deleted or not ,
Required: False ,
}
boolean ,
created:
{
Description: The time the watchlist item was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist item was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
itemsKeyValue:
{
Description: key-value pairs for a watchlist item ,
Required: True ,
}
object ,
entityMapping:
{
Description: key-value pairs for a watchlist item entity mapping ,
Required: False ,
}
object ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
WatchlistItems_Delete (updated)
Description Delete a watchlist item.
Reference Link ¶

⚶ Changes

{
  "#id": "WatchlistItems_Delete",
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    },
    {
      "#name": "watchlistItemId",
      "Description": {
        "new": "The watchlist item id (GUID)",
        "old": "Watchlist Item Id (GUID)"
      }
    }
  ]
}

⚼ Request

DELETE:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
watchlistItemId:
{
Description: The watchlist item id (GUID) ,
Required: True ,
}
string ,
}

⚐ Response (200)

{}

⚐ Response (204)

{}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
WatchlistItems_CreateOrUpdate (updated)
Description Create or update a watchlist item.
Reference Link ¶

⚶ Changes

{
  "#id": "WatchlistItems_CreateOrUpdate",
  "Description": {
    "new": "Create or update a watchlist item.",
    "old": "Creates or updates a watchlist item."
  },
  "$parameters": [
    {
      "#name": "watchlistAlias",
      "Description": {
        "new": "The watchlist alias",
        "old": "Watchlist Alias"
      }
    },
    {
      "#name": "watchlistItemId",
      "Description": {
        "new": "The watchlist item id (GUID)",
        "old": "Watchlist Item Id (GUID)"
      }
    },
    {
      "watchlistItem": {
        "Description": {
          "new": "Represents a Watchlist Item in Azure Security Insights.",
          "old": "Represents a Watchlist item in Azure Security Insights."
        }
      }
    }
  ],
  "$responses": {
    "200": {
      "Description": {
        "new": "Represents a Watchlist Item in Azure Security Insights.",
        "old": "Represents a Watchlist item in Azure Security Insights."
      }
    },
    "201": {
      "Description": {
        "new": "Represents a Watchlist Item in Azure Security Insights.",
        "old": "Represents a Watchlist item in Azure Security Insights."
      }
    }
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/watchlists/{watchlistAlias}/watchlistItems/{watchlistItemId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
watchlistAlias:
{
Description: The watchlist alias ,
Required: True ,
}
string ,
watchlistItemId:
{
Description: The watchlist item id (GUID) ,
Required: True ,
}
string ,
watchlistItem:
{
Description: The watchlist item ,
Required: True ,
}
{
properties:
{
Description: Watchlist Item properties ,
Required: False ,
}
{
watchlistItemType:
{
Description: The type of the watchlist item ,
Required: False ,
}
string ,
watchlistItemId:
{
Description: The id (a Guid) of the watchlist item ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId to which the watchlist item belongs to ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist item is deleted or not ,
Required: False ,
}
boolean ,
created:
{
Description: The time the watchlist item was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist item was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
itemsKeyValue:
{
Description: key-value pairs for a watchlist item ,
Required: True ,
}
object ,
entityMapping:
{
Description: key-value pairs for a watchlist item entity mapping ,
Required: False ,
}
object ,
}
,
}
,
}

⚐ Response (200)

{
properties:
{
Description: Watchlist Item properties ,
Required: False ,
}
{
watchlistItemType:
{
Description: The type of the watchlist item ,
Required: False ,
}
string ,
watchlistItemId:
{
Description: The id (a Guid) of the watchlist item ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId to which the watchlist item belongs to ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist item is deleted or not ,
Required: False ,
}
boolean ,
created:
{
Description: The time the watchlist item was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist item was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
itemsKeyValue:
{
Description: key-value pairs for a watchlist item ,
Required: True ,
}
object ,
entityMapping:
{
Description: key-value pairs for a watchlist item entity mapping ,
Required: False ,
}
object ,
}
,
}

⚐ Response (201)

{
properties:
{
Description: Watchlist Item properties ,
Required: False ,
}
{
watchlistItemType:
{
Description: The type of the watchlist item ,
Required: False ,
}
string ,
watchlistItemId:
{
Description: The id (a Guid) of the watchlist item ,
Required: False ,
}
string ,
tenantId:
{
Description: The tenantId to which the watchlist item belongs to ,
Required: False ,
}
string ,
isDeleted:
{
Description: A flag that indicates if the watchlist item is deleted or not ,
Required: False ,
}
boolean ,
created:
{
Description: The time the watchlist item was created ,
Format: date-time ,
Required: False ,
}
string ,
updated:
{
Description: The last time the watchlist item was updated ,
Format: date-time ,
Required: False ,
}
string ,
createdBy:
{
Description: Describes a user that created the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
updatedBy:
{
Description: Describes a user that updated the watchlist item ,
Required: False ,
}
{
email:
{
Description: The email of the user. ,
Required: False ,
}
string ,
name:
{
Description: The name of the user. ,
Required: False ,
}
string ,
objectId:
{
Description: The object id of the user. ,
Format: uuid ,
Required: False ,
}
string ,
}
,
itemsKeyValue:
{
Description: key-value pairs for a watchlist item ,
Required: True ,
}
object ,
entityMapping:
{
Description: key-value pairs for a watchlist item entity mapping ,
Required: False ,
}
object ,
}
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
DataConnectors_List (updated)
Description Gets all data connectors.
Reference Link ¶

⚶ Changes

{
  "#id": "DataConnectors_List",
  "$responses": {
    "200": {
      "$properties": {
        "value": {
          "$properties": [
            {
              "#name": "kind",
              "Enum": {
                "new": [
                  [
                    "AzureActiveDirectory",
                    ""
                  ],
                  [
                    "AzureSecurityCenter",
                    ""
                  ],
                  [
                    "MicrosoftCloudAppSecurity",
                    ""
                  ],
                  [
                    "ThreatIntelligence",
                    ""
                  ],
                  [
                    "ThreatIntelligenceTaxii",
                    ""
                  ],
                  [
                    "Office365",
                    ""
                  ],
                  [
                    "OfficeATP",
                    ""
                  ],
                  [
                    "OfficeIRM",
                    ""
                  ],
                  [
                    "Office365Project",
                    ""
                  ],
                  [
                    "MicrosoftPurviewInformationProtection",
                    ""
                  ],
                  [
                    "OfficePowerBI",
                    ""
                  ],
                  [
                    "AmazonWebServicesCloudTrail",
                    ""
                  ],
                  [
                    "AmazonWebServicesS3",
                    ""
                  ],
                  [
                    "AzureAdvancedThreatProtection",
                    ""
                  ],
                  [
                    "MicrosoftDefenderAdvancedThreatProtection",
                    ""
                  ],
                  [
                    "Dynamics365",
                    ""
                  ],
                  [
                    "MicrosoftThreatProtection",
                    ""
                  ],
                  [
                    "MicrosoftThreatIntelligence",
                    ""
                  ],
                  [
                    "PremiumMicrosoftDefenderForThreatIntelligence",
                    ""
                  ],
                  [
                    "GenericUI",
                    ""
                  ],
                  [
                    "APIPolling",
                    ""
                  ],
                  [
                    "IOT",
                    ""
                  ],
                  [
                    "GCP",
                    ""
                  ],
                  [
                    "RestApiPoller",
                    ""
                  ],
                  [
                    "PurviewAudit",
                    ""
                  ]
                ],
                "old": [
                  [
                    "AzureActiveDirectory",
                    ""
                  ],
                  [
                    "AzureSecurityCenter",
                    ""
                  ],
                  [
                    "MicrosoftCloudAppSecurity",
                    ""
                  ],
                  [
                    "ThreatIntelligence",
                    ""
                  ],
                  [
                    "ThreatIntelligenceTaxii",
                    ""
                  ],
                  [
                    "Office365",
                    ""
                  ],
                  [
                    "OfficeATP",
                    ""
                  ],
                  [
                    "OfficeIRM",
                    ""
                  ],
                  [
                    "Office365Project",
                    ""
                  ],
                  [
                    "MicrosoftPurviewInformationProtection",
                    ""
                  ],
                  [
                    "OfficePowerBI",
                    ""
                  ],
                  [
                    "AmazonWebServicesCloudTrail",
                    ""
                  ],
                  [
                    "AmazonWebServicesS3",
                    ""
                  ],
                  [
                    "AzureAdvancedThreatProtection",
                    ""
                  ],
                  [
                    "MicrosoftDefenderAdvancedThreatProtection",
                    ""
                  ],
                  [
                    "Dynamics365",
                    ""
                  ],
                  [
                    "MicrosoftThreatProtection",
                    ""
                  ],
                  [
                    "MicrosoftThreatIntelligence",
                    ""
                  ],
                  [
                    "GenericUI",
                    ""
                  ],
                  [
                    "APIPolling",
                    ""
                  ],
                  [
                    "IOT",
                    ""
                  ],
                  [
                    "GCP",
                    ""
                  ],
                  [
                    "RestApiPoller",
                    ""
                  ],
                  [
                    "PurviewAudit",
                    ""
                  ]
                ]
              }
            }
          ]
        }
      }
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
nextLink:
{
Description: URL to fetch the next set of data connectors. ,
Required: False ,
}
string ,
value:
{
Description: Array of data connectors. ,
Required: True ,
}
[
{
kind:
{
Description: The data connector kind ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}
,
]
,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
DataConnectors_Get (updated)
Description Gets a data connector.
Reference Link ¶

⚶ Changes

{
  "#id": "DataConnectors_Get",
  "$responses": {
    "200": {
      "$properties": [
        {
          "#name": "kind",
          "Enum": {
            "new": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "PremiumMicrosoftDefenderForThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ],
            "old": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

GET:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
dataConnectorId:
{
Description: Connector ID ,
Required: True ,
}
string ,
}

⚐ Response (200)

{
kind:
{
Description: The data connector kind ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
DataConnectors_CreateOrUpdate (updated)
Description Creates or updates the data connector.
Reference Link ¶

⚶ Changes

{
  "#id": "DataConnectors_CreateOrUpdate",
  "$parameters": {
    "dataConnector": {
      "$properties": [
        {
          "#name": "kind",
          "Enum": {
            "new": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "PremiumMicrosoftDefenderForThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ],
            "old": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ]
          }
        }
      ]
    }
  },
  "$responses": {
    "200": {
      "$properties": [
        {
          "#name": "kind",
          "Enum": {
            "new": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "PremiumMicrosoftDefenderForThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ],
            "old": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ]
          }
        }
      ]
    },
    "201": {
      "$properties": [
        {
          "#name": "kind",
          "Enum": {
            "new": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "PremiumMicrosoftDefenderForThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ],
            "old": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

PUT:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectors/{dataConnectorId}
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
dataConnectorId:
{
Description: Connector ID ,
Required: True ,
}
string ,
dataConnector:
{
Description: The data connector ,
Required: True ,
}
{
kind:
{
Description: The data connector kind ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}
,
}

⚐ Response (200)

{
kind:
{
Description: The data connector kind ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}

⚐ Response (201)

{
kind:
{
Description: The data connector kind ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}
DataConnectorsCheckRequirements_Post (updated)
Description Get requirements state for a data connector type.
Reference Link ¶

⚶ Changes

{
  "#id": "DataConnectorsCheckRequirements_Post",
  "$parameters": {
    "DataConnectorsCheckRequirements": {
      "$properties": [
        {
          "#name": "kind",
          "Enum": {
            "new": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "PremiumMicrosoftDefenderForThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ],
            "old": [
              [
                "AzureActiveDirectory",
                ""
              ],
              [
                "AzureSecurityCenter",
                ""
              ],
              [
                "MicrosoftCloudAppSecurity",
                ""
              ],
              [
                "ThreatIntelligence",
                ""
              ],
              [
                "ThreatIntelligenceTaxii",
                ""
              ],
              [
                "Office365",
                ""
              ],
              [
                "OfficeATP",
                ""
              ],
              [
                "OfficeIRM",
                ""
              ],
              [
                "Office365Project",
                ""
              ],
              [
                "MicrosoftPurviewInformationProtection",
                ""
              ],
              [
                "OfficePowerBI",
                ""
              ],
              [
                "AmazonWebServicesCloudTrail",
                ""
              ],
              [
                "AmazonWebServicesS3",
                ""
              ],
              [
                "AzureAdvancedThreatProtection",
                ""
              ],
              [
                "MicrosoftDefenderAdvancedThreatProtection",
                ""
              ],
              [
                "Dynamics365",
                ""
              ],
              [
                "MicrosoftThreatProtection",
                ""
              ],
              [
                "MicrosoftThreatIntelligence",
                ""
              ],
              [
                "GenericUI",
                ""
              ],
              [
                "APIPolling",
                ""
              ],
              [
                "IOT",
                ""
              ],
              [
                "GCP",
                ""
              ],
              [
                "RestApiPoller",
                ""
              ],
              [
                "PurviewAudit",
                ""
              ]
            ]
          }
        }
      ]
    }
  }
}

⚼ Request

POST:  /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/dataConnectorsCheckRequirements
{
api-version:
{
Description: The API version to use for this operation. ,
Required: True ,
}
string ,
subscriptionId:
{
Description: The ID of the target subscription. The value must be an UUID. ,
Format: uuid ,
Required: True ,
}
string ,
resourceGroupName:
{
Description: The name of the resource group. The name is case insensitive. ,
Required: True ,
}
string ,
workspaceName:
{
Description: The name of the workspace. ,
Required: True ,
}
string ,
DataConnectorsCheckRequirements:
{
Description: The parameters for requirements check message ,
Required: True ,
}
{
kind:
{
Description: Describes the kind of connector to be checked. ,
Enum:
{
AzureActiveDirectory: No description available. ,
AzureSecurityCenter: No description available. ,
MicrosoftCloudAppSecurity: No description available. ,
ThreatIntelligence: No description available. ,
ThreatIntelligenceTaxii: No description available. ,
Office365: No description available. ,
OfficeATP: No description available. ,
OfficeIRM: No description available. ,
Office365Project: No description available. ,
MicrosoftPurviewInformationProtection: No description available. ,
OfficePowerBI: No description available. ,
AmazonWebServicesCloudTrail: No description available. ,
AmazonWebServicesS3: No description available. ,
AzureAdvancedThreatProtection: No description available. ,
MicrosoftDefenderAdvancedThreatProtection: No description available. ,
Dynamics365: No description available. ,
MicrosoftThreatProtection: No description available. ,
MicrosoftThreatIntelligence: No description available. ,
PremiumMicrosoftDefenderForThreatIntelligence: No description available. ,
GenericUI: No description available. ,
APIPolling: No description available. ,
IOT: No description available. ,
GCP: No description available. ,
RestApiPoller: No description available. ,
PurviewAudit: No description available. ,
}
,
Required: True ,
}
enum ,
}
,
}

⚐ Response (200)

{
authorizationState:
{
Description: Authorization state for this connector ,
Enum:
{
Valid: No description available. ,
Invalid: No description available. ,
}
,
Required: False ,
}
enum ,
licenseState:
{
Description: License state for this connector ,
Enum:
{
Valid: No description available. ,
Invalid: No description available. ,
Unknown: No description available. ,
}
,
Required: False ,
}
enum ,
}

⚐ Response (default)

{
error:
{
Description: Error data ,
Required: False ,
}
{
code:
{
Description: An identifier for the error. Codes are invariant and are intended to be consumed programmatically. ,
Required: False ,
}
string ,
message:
{
Description: A message describing the error, intended to be suitable for display in a user interface. ,
Required: False ,
}
string ,
}
,
}