MICROSOFT.SECURITYINSIGHTS
Actions_CreateOrUpdate
valid {
input.Body.properties.triggerUri == STRING
input.Body.properties.logicAppResourceId == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.ReqMap.actionId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Actions_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.ReqMap.actionId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Actions_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.ReqMap.actionId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Actions_ListByAlertRule
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRuleTemplates_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.alertRuleTemplateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRuleTemplates_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRules_CreateOrUpdate
enum_AlertRuleKindEnum := [ "Scheduled", "MicrosoftSecurityIncidentCreation", "Fusion" ]
valid {
input.Body.kind == enum_AlertRuleKindEnum[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRules_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRules_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AlertRules_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AutomationRules_CreateOrUpdate
enum_ActionType := [ "ModifyProperties", "RunPlaybook", "AddIncidentTask" ]
enum_ConditionType := [ "Property", "PropertyArray", "PropertyChanged", "PropertyArrayChanged", "Boolean" ]
enum_triggersOn := [ "Incidents", "Alerts" ]
enum_triggersWhen := [ "Created", "Updated" ]
valid {
input.Body.properties.displayName == STRING
input.Body.properties.order == INTEGER
input.Body.properties.triggeringLogic.isEnabled == BOOLEAN
input.Body.properties.triggeringLogic.expirationTimeUtc == STRING
input.Body.properties.triggeringLogic.triggersOn == enum_triggersOn[_]
input.Body.properties.triggeringLogic.triggersWhen == enum_triggersWhen[_]
input.Body.properties.triggeringLogic.conditions[_].conditionType == enum_ConditionType[_]
input.Body.properties.actions[_].order == INTEGER
input.Body.properties.actions[_].actionType == enum_ActionType[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.automationRuleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AutomationRules_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.automationRuleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AutomationRules_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.automationRuleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
AutomationRules_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BillingStatistics_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.billingStatisticName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BillingStatistics_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_CreateOrUpdate
valid {
input.Body.properties.relatedResourceId == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_CreateOrUpdateRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.Body.properties.relatedResourceId == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_DeleteRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_GetRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
BookmarkRelations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Bookmark_Expand
valid {
input.Body.endTime == STRING
input.Body.expansionId == STRING
input.Body.startTime == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Bookmarks_CreateOrUpdate
enum_IncidentSeverityEnum := [ "High", "Medium", "Low", "Informational" ]
valid {
input.Body.properties.created == STRING
input.Body.properties.createdBy.objectId == STRING
input.Body.properties.displayName == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.notes == STRING
input.Body.properties.query == STRING
input.Body.properties.queryResult == STRING
input.Body.properties.updated == STRING
input.Body.properties.updatedBy.objectId == STRING
input.Body.properties.eventTime == STRING
input.Body.properties.queryStartTime == STRING
input.Body.properties.queryEndTime == STRING
input.Body.properties.incidentInfo.incidentId == STRING
input.Body.properties.incidentInfo.severity == enum_IncidentSeverityEnum[_]
input.Body.properties.incidentInfo.title == STRING
input.Body.properties.incidentInfo.relationName == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Bookmarks_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Bookmarks_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.bookmarkId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Bookmarks_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CaseComments_CreateComment
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.Body.properties.message == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.ReqMap.caseCommentId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CaseRelations_CreateOrUpdateRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.Body.properties.relationName == STRING
input.Body.properties.sourceRelationNode.relationNodeId == STRING
input.Body.properties.sourceRelationNode.etag == STRING
input.Body.properties.sourceRelationNode.relationAdditionalProperties.STRING == STRING
input.Body.properties.targetRelationNode.relationNodeId == STRING
input.Body.properties.targetRelationNode.etag == STRING
input.Body.properties.targetRelationNode.relationAdditionalProperties.STRING == STRING
input.Body.STRING == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CaseRelations_DeleteRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CaseRelations_GetRelation
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CaseRelations_List
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
CasesAggregations_Get
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.aggregationsName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Cases_CreateOrUpdate
enum_ApiVersion := [ "2019-01-01-preview" ]
enum_CasePropertiesCloseReason := [ "Resolved", "Dismissed", "TruePositive", "FalsePositive", "Other" ]
enum_CasePropertiesSeverity := [ "Critical", "High", "Medium", "Low", "Informational" ]
enum_CasePropertiesStatus := [ "Draft", "New", "InProgress", "Closed" ]
valid {
input.Body.properties.closeReason == enum_CasePropertiesCloseReason[_]
input.Body.properties.closedReasonText == STRING
input.Body.properties.description == STRING
input.Body.properties.endTimeUtc == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.owner.objectId == STRING
input.Body.properties.severity == enum_CasePropertiesSeverity[_]
input.Body.properties.startTimeUtc == STRING
input.Body.properties.status == enum_CasePropertiesStatus[_]
input.Body.properties.title == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Cases_Delete
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Cases_Get
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Cases_GetComment
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.ReqMap.caseCommentId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Cases_List
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Comments_ListByCase
enum_ApiVersion := [ "2019-01-01-preview" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.operationalInsightsResourceProvider == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.caseId == STRING
input.Qs.api-version == enum_ApiVersion[_]
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentPackage_Install
enum_metadataDependenciesOperator := [ "AND", "OR" ]
enum_metadataKind := [ "DataConnector", "DataType", "Workbook", "WorkbookTemplate", "Playbook", "PlaybookTemplate", "AnalyticsRuleTemplate", "AnalyticsRule", "HuntingQuery", "InvestigationQuery", "Parser", "Watchlist", "WatchlistTemplate", "Solution", "AzureFunction", "LogicAppsCustomConnector", "AutomationRule" ]
enum_metadataPackageKind := [ "Solution", "Standalone" ]
enum_metadataSourceKind := [ "LocalWorkspace", "Community", "Solution", "SourceRepository" ]
enum_metadataSupportTier := [ "Microsoft", "Partner", "Community" ]
enum_metadataTrueFalseFlag := [ "true", "false" ]
valid {
input.Body.properties.STRING == STRING
input.Body.properties.contentId == STRING
input.Body.properties.contentProductId == STRING
input.Body.properties.contentKind == enum_metadataPackageKind[_]
input.Body.properties.contentSchemaVersion == STRING
input.Body.properties.isNew == enum_metadataTrueFalseFlag[_]
input.Body.properties.isPreview == enum_metadataTrueFalseFlag[_]
input.Body.properties.isFeatured == enum_metadataTrueFalseFlag[_]
input.Body.properties.isDeprecated == enum_metadataTrueFalseFlag[_]
input.Body.properties.version == STRING
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.publisherDisplayName == STRING
input.Body.properties.source.kind == enum_metadataSourceKind[_]
input.Body.properties.source.name == STRING
input.Body.properties.source.sourceId == STRING
input.Body.properties.author.name == STRING
input.Body.properties.author.email == STRING
input.Body.properties.author.link == STRING
input.Body.properties.support.tier == enum_metadataSupportTier[_]
input.Body.properties.support.name == STRING
input.Body.properties.support.email == STRING
input.Body.properties.support.link == STRING
input.Body.properties.dependencies.contentId == STRING
input.Body.properties.dependencies.kind == enum_metadataKind[_]
input.Body.properties.dependencies.version == STRING
input.Body.properties.dependencies.name == STRING
input.Body.properties.dependencies.operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_] == NESTED
input.Body.properties.providers[_] == STRING
input.Body.properties.firstPublishDate == STRING
input.Body.properties.lastPublishDate == STRING
input.Body.properties.categories.domains[_] == STRING
input.Body.properties.categories.verticals[_] == STRING
input.Body.properties.threatAnalysisTactics[_] == STRING
input.Body.properties.threatAnalysisTechniques[_] == STRING
input.Body.properties.icon == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.packageId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentPackage_Uninstall
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.packageId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentPackages_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.packageId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentPackages_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$search == STRING
input.Qs.$count == BOOLEAN
input.Qs.$top == INTEGER
input.Qs.$skip == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentTemplate_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.templateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentTemplate_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.templateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentTemplate_Install
enum_metadataDependenciesOperator := [ "AND", "OR" ]
enum_metadataKind := [ "DataConnector", "DataType", "Workbook", "WorkbookTemplate", "Playbook", "PlaybookTemplate", "AnalyticsRuleTemplate", "AnalyticsRule", "HuntingQuery", "InvestigationQuery", "Parser", "Watchlist", "WatchlistTemplate", "Solution", "AzureFunction", "LogicAppsCustomConnector", "AutomationRule" ]
enum_metadataPackageKind := [ "Solution", "Standalone" ]
enum_metadataSourceKind := [ "LocalWorkspace", "Community", "Solution", "SourceRepository" ]
enum_metadataSupportTier := [ "Microsoft", "Partner", "Community" ]
valid {
input.Body.properties.STRING == STRING
input.Body.properties.contentId == STRING
input.Body.properties.contentProductId == STRING
input.Body.properties.packageVersion == STRING
input.Body.properties.version == STRING
input.Body.properties.displayName == STRING
input.Body.properties.contentKind == enum_metadataKind[_]
input.Body.properties.source.kind == enum_metadataSourceKind[_]
input.Body.properties.source.name == STRING
input.Body.properties.source.sourceId == STRING
input.Body.properties.author.name == STRING
input.Body.properties.author.email == STRING
input.Body.properties.author.link == STRING
input.Body.properties.support.tier == enum_metadataSupportTier[_]
input.Body.properties.support.name == STRING
input.Body.properties.support.email == STRING
input.Body.properties.support.link == STRING
input.Body.properties.dependencies.contentId == STRING
input.Body.properties.dependencies.kind == enum_metadataKind[_]
input.Body.properties.dependencies.version == STRING
input.Body.properties.dependencies.name == STRING
input.Body.properties.dependencies.operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_] == NESTED
input.Body.properties.categories.domains[_] == STRING
input.Body.properties.categories.verticals[_] == STRING
input.Body.properties.providers[_] == STRING
input.Body.properties.firstPublishDate == STRING
input.Body.properties.lastPublishDate == STRING
input.Body.properties.customVersion == STRING
input.Body.properties.contentSchemaVersion == STRING
input.Body.properties.icon == STRING
input.Body.properties.threatAnalysisTactics[_] == STRING
input.Body.properties.threatAnalysisTechniques[_] == STRING
input.Body.properties.previewImages[_] == STRING
input.Body.properties.previewImagesDark[_] == STRING
input.Body.properties.packageId == STRING
input.Body.properties.packageKind == enum_metadataPackageKind[_]
input.Body.properties.packageName == STRING
input.Body.properties.mainTemplate.STRING == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.templateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ContentTemplates_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$expand == STRING
input.Qs.$search == STRING
input.Qs.$count == BOOLEAN
input.Qs.$top == INTEGER
input.Qs.$skip == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectorDefinitions_CreateOrUpdate
enum_DataConnectorDefinitionKind := [ "Customizable" ]
valid {
input.Body.kind == enum_DataConnectorDefinitionKind[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorDefinitionName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectorDefinitions_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorDefinitionName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectorDefinitions_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorDefinitionName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectorDefinitions_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectorsCheckRequirements_Post
enum_DataConnectorKind := [ "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", "ThreatIntelligence", "ThreatIntelligenceTaxii", "Office365", "OfficeATP", "OfficeIRM", "Office365Project", "MicrosoftPurviewInformationProtection", "OfficePowerBI", "AmazonWebServicesCloudTrail", "AmazonWebServicesS3", "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection", "Dynamics365", "MicrosoftThreatProtection", "MicrosoftThreatIntelligence", "GenericUI", "APIPolling", "IOT", "GCP", "RestApiPoller" ]
valid {
input.Body.kind == enum_DataConnectorKind[_]
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_Connect
enum_DataConnectorConnectBodyKind := [ "Basic", "OAuth2", "APIKey" ]
valid {
input.Body.kind == enum_DataConnectorConnectBodyKind[_]
input.Body.apiKey == STRING
input.Body.dataCollectionEndpoint == STRING
input.Body.dataCollectionRuleImmutableId == STRING
input.Body.outputStream == STRING
input.Body.clientSecret == STRING
input.Body.clientId == STRING
input.Body.authorizationCode == STRING
input.Body.userName == STRING
input.Body.password == STRING
input.Body.requestConfigUserInputValues[_].STRING == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_CreateOrUpdate
enum_DataConnectorKind := [ "AzureActiveDirectory", "AzureSecurityCenter", "MicrosoftCloudAppSecurity", "ThreatIntelligence", "Office365", "AmazonWebServicesCloudTrail", "AzureAdvancedThreatProtection", "MicrosoftDefenderAdvancedThreatProtection" ]
valid {
input.Body.kind == enum_DataConnectorKind[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_Disconnect
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.dataConnectorId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DataConnectors_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
DomainWhois_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.Qs.api-version == STRING
input.Qs.domain == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntitiesGetTimeline_list
enum_EntityTimelineKind := [ "Activity", "Bookmark", "SecurityAlert", "Anomaly" ]
valid {
input.Body.kinds[_] == enum_EntityTimelineKind[_]
input.Body.startTime == STRING
input.Body.endTime == STRING
input.Body.numberOfBucket == INTEGER
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntitiesRelations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_Expand
valid {
input.Body.endTime == STRING
input.Body.expansionId == STRING
input.Body.startTime == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_GetInsights
valid {
input.Body.startTime == STRING
input.Body.endTime == STRING
input.Body.addDefaultExtendedTimeRange == BOOLEAN
input.Body.insightQueryIds[_] == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_Queries
enum_EntityQueryKindParam := [ "Insight" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.Qs.api-version == STRING
input.Qs.kind == enum_EntityQueryKindParam[_]
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Entities_RunPlaybook
valid {
input.Body.incidentArmId == STRING
input.Body.tenantId == STRING
input.Body.logicAppsResourceId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityIdentifier == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueries_CreateOrUpdate
enum_CustomEntityQueryKind := [ "Activity" ]
valid {
input.Body.kind == enum_CustomEntityQueryKind[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityQueryId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueries_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityQueryId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueries_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityQueryId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueries_List
enum_EntityQueryKind := [ "Expansion", "Activity" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.kind == enum_EntityQueryKind[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueryTemplates_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityQueryTemplateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityQueryTemplates_List
enum_EntityQueryTemplateKind := [ "Activity" ]
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.kind == enum_EntityQueryTemplateKind[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
EntityRelations_GetRelation
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.entityId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
FileImports_Create
enum_FileImportPropertiesContentType := [ "BasicIndicator", "StixIndicator", "Unspecified" ]
enum_FileImportPropertiesIngestionMode := [ "IngestOnlyIfAllAreValid", "IngestAnyValidRecords", "Unspecified" ]
enum_FileMetadataFileFormat := [ "CSV", "JSON", "Unspecified" ]
valid {
input.Body.properties.ingestionMode == enum_FileImportPropertiesIngestionMode[_]
input.Body.properties.contentType == enum_FileImportPropertiesContentType[_]
input.Body.properties.importFile.fileFormat == enum_FileMetadataFileFormat[_]
input.Body.properties.importFile.fileName == STRING
input.Body.properties.importFile.fileSize == INTEGER
input.Body.properties.source == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.fileImportId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
FileImports_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.fileImportId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
FileImports_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.fileImportId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
FileImports_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
GetRecommendations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Get_SingleRecommendation
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.recommendationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntComments_CreateOrUpdate
valid {
input.Body.properties.message == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntComments_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntComments_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntComments_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntRelations_CreateOrUpdate
valid {
input.Body.properties.relatedResourceId == STRING
input.Body.properties.labels[_] == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntRelationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntRelations_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntRelationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntRelations_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.ReqMap.huntRelationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
HuntRelations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Hunts_CreateOrUpdate
enum_AttackTactic := [ "Reconnaissance", "ResourceDevelopment", "InitialAccess", "Execution", "Persistence", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "Discovery", "LateralMovement", "Collection", "Exfiltration", "CommandAndControl", "Impact", "PreAttack", "ImpairProcessControl", "InhibitResponseFunction" ]
enum_HuntOwnerOwnerType := [ "Unknown", "User", "Group" ]
enum_HuntPropertiesHypothesisStatus := [ "Unknown", "Invalidated", "Validated" ]
enum_HuntPropertiesStatus := [ "New", "Active", "Closed", "Backlog", "Approved" ]
valid {
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.status == enum_HuntPropertiesStatus[_]
input.Body.properties.hypothesisStatus == enum_HuntPropertiesHypothesisStatus[_]
input.Body.properties.attackTactics[_] == enum_AttackTactic[_]
input.Body.properties.attackTechniques[_] == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.owner.email == STRING
input.Body.properties.owner.assignedTo == STRING
input.Body.properties.owner.objectId == STRING
input.Body.properties.owner.userPrincipalName == STRING
input.Body.properties.owner.ownerType == enum_HuntOwnerOwnerType[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Hunts_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Hunts_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.huntId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Hunts_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IPGeodata_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.Qs.api-version == STRING
input.Qs.ipAddress == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentComments_CreateOrUpdate
valid {
input.Body.properties.message == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentComments_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentComments_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentCommentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentComments_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentRelations_CreateOrUpdate
valid {
input.Body.properties.relatedResourceId == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentRelations_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentRelations_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.relationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentRelations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentTasks_CreateOrUpdate
enum_IncidentTaskStatus := [ "New", "Completed" ]
valid {
input.Body.properties.title == STRING
input.Body.properties.description == STRING
input.Body.properties.status == enum_IncidentTaskStatus[_]
input.Body.properties.createdBy.email == STRING
input.Body.properties.createdBy.name == STRING
input.Body.properties.createdBy.objectId == STRING
input.Body.properties.createdBy.userPrincipalName == STRING
input.Body.properties.lastModifiedBy.email == STRING
input.Body.properties.lastModifiedBy.name == STRING
input.Body.properties.lastModifiedBy.objectId == STRING
input.Body.properties.lastModifiedBy.userPrincipalName == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentTaskId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentTasks_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentTaskId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentTasks_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.ReqMap.incidentTaskId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
IncidentTasks_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_CreateOrUpdate
enum_IncidentOwnerInfoOwnerType := [ "Unknown", "User", "Group" ]
enum_IncidentPropertiesClassification := [ "Undetermined", "TruePositive", "BenignPositive", "FalsePositive" ]
enum_IncidentPropertiesClassificationReason := [ "SuspiciousActivity", "SuspiciousButExpected", "IncorrectAlertLogic", "InaccurateData" ]
enum_IncidentPropertiesStatus := [ "New", "Active", "Closed" ]
enum_IncidentSeverityEnum := [ "High", "Medium", "Low", "Informational" ]
valid {
input.Body.properties.classification == enum_IncidentPropertiesClassification[_]
input.Body.properties.classificationComment == STRING
input.Body.properties.classificationReason == enum_IncidentPropertiesClassificationReason[_]
input.Body.properties.description == STRING
input.Body.properties.firstActivityTimeUtc == STRING
input.Body.properties.labels[_].labelName == STRING
input.Body.properties.lastActivityTimeUtc == STRING
input.Body.properties.owner.email == STRING
input.Body.properties.owner.assignedTo == STRING
input.Body.properties.owner.objectId == STRING
input.Body.properties.owner.userPrincipalName == STRING
input.Body.properties.owner.ownerType == enum_IncidentOwnerInfoOwnerType[_]
input.Body.properties.severity == enum_IncidentSeverityEnum[_]
input.Body.properties.status == enum_IncidentPropertiesStatus[_]
input.Body.properties.title == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_CreateTeam
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_ListAlerts
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_ListBookmarks
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_ListEntities
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Incidents_RunPlaybook
valid {
input.Body.tenantId == STRING
input.Body.logicAppsResourceId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.incidentIdentifier == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ListGeodataByIp
enum_EnrichmentType := [ "main" ]
valid {
input.Body.ipAddress == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.enrichmentType == enum_EnrichmentType[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ListWhoisByDomain
enum_EnrichmentType := [ "main" ]
valid {
input.Body.domain == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.enrichmentType == enum_EnrichmentType[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Metadata_Create
enum_metadataDependenciesOperator := [ "AND", "OR" ]
enum_metadataKind := [ "DataConnector", "DataType", "Workbook", "WorkbookTemplate", "Playbook", "PlaybookTemplate", "AnalyticsRuleTemplate", "AnalyticsRule", "HuntingQuery", "InvestigationQuery", "Parser", "Watchlist", "WatchlistTemplate", "Solution", "AzureFunction", "LogicAppsCustomConnector", "AutomationRule" ]
enum_metadataSourceKind := [ "LocalWorkspace", "Community", "Solution", "SourceRepository" ]
enum_metadataSupportTier := [ "Microsoft", "Partner", "Community" ]
valid {
input.Body.properties.contentId == STRING
input.Body.properties.parentId == STRING
input.Body.properties.version == STRING
input.Body.properties.kind == STRING
input.Body.properties.source.kind == enum_metadataSourceKind[_]
input.Body.properties.source.name == STRING
input.Body.properties.source.sourceId == STRING
input.Body.properties.author.name == STRING
input.Body.properties.author.email == STRING
input.Body.properties.author.link == STRING
input.Body.properties.support.tier == enum_metadataSupportTier[_]
input.Body.properties.support.name == STRING
input.Body.properties.support.email == STRING
input.Body.properties.support.link == STRING
input.Body.properties.dependencies.contentId == STRING
input.Body.properties.dependencies.kind == enum_metadataKind[_]
input.Body.properties.dependencies.version == STRING
input.Body.properties.dependencies.name == STRING
input.Body.properties.dependencies.operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_].contentId == STRING
input.Body.properties.dependencies.criteria[_].kind == enum_metadataKind[_]
input.Body.properties.dependencies.criteria[_].version == STRING
input.Body.properties.dependencies.criteria[_].name == STRING
input.Body.properties.dependencies.criteria[_].operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_].criteria[_] == NESTED
input.Body.properties.categories.domains[_] == STRING
input.Body.properties.categories.verticals[_] == STRING
input.Body.properties.providers[_] == STRING
input.Body.properties.firstPublishDate == STRING
input.Body.properties.lastPublishDate == STRING
input.Body.properties.customVersion == STRING
input.Body.properties.contentSchemaVersion == STRING
input.Body.properties.icon == STRING
input.Body.properties.threatAnalysisTactics[_] == STRING
input.Body.properties.threatAnalysisTechniques[_] == STRING
input.Body.properties.previewImages[_] == STRING
input.Body.properties.previewImagesDark[_] == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.metadataName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Metadata_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.metadataName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Metadata_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.metadataName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Metadata_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skip == INTEGER
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Metadata_Update
enum_metadataDependenciesOperator := [ "AND", "OR" ]
enum_metadataKind := [ "DataConnector", "DataType", "Workbook", "WorkbookTemplate", "Playbook", "PlaybookTemplate", "AnalyticsRuleTemplate", "AnalyticsRule", "HuntingQuery", "InvestigationQuery", "Parser", "Watchlist", "WatchlistTemplate", "Solution", "AzureFunction", "LogicAppsCustomConnector", "AutomationRule" ]
enum_metadataSourceKind := [ "LocalWorkspace", "Community", "Solution", "SourceRepository" ]
enum_metadataSupportTier := [ "Microsoft", "Partner", "Community" ]
valid {
input.Body.properties.contentId == STRING
input.Body.properties.parentId == STRING
input.Body.properties.version == STRING
input.Body.properties.kind == STRING
input.Body.properties.source.kind == enum_metadataSourceKind[_]
input.Body.properties.source.name == STRING
input.Body.properties.source.sourceId == STRING
input.Body.properties.author.name == STRING
input.Body.properties.author.email == STRING
input.Body.properties.author.link == STRING
input.Body.properties.support.tier == enum_metadataSupportTier[_]
input.Body.properties.support.name == STRING
input.Body.properties.support.email == STRING
input.Body.properties.support.link == STRING
input.Body.properties.dependencies.contentId == STRING
input.Body.properties.dependencies.kind == enum_metadataKind[_]
input.Body.properties.dependencies.version == STRING
input.Body.properties.dependencies.name == STRING
input.Body.properties.dependencies.operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_].contentId == STRING
input.Body.properties.dependencies.criteria[_].kind == enum_metadataKind[_]
input.Body.properties.dependencies.criteria[_].version == STRING
input.Body.properties.dependencies.criteria[_].name == STRING
input.Body.properties.dependencies.criteria[_].operator == enum_metadataDependenciesOperator[_]
input.Body.properties.dependencies.criteria[_].criteria[_] == NESTED
input.Body.properties.categories.domains[_] == STRING
input.Body.properties.categories.verticals[_] == STRING
input.Body.properties.providers[_] == STRING
input.Body.properties.firstPublishDate == STRING
input.Body.properties.lastPublishDate == STRING
input.Body.properties.customVersion == STRING
input.Body.properties.contentSchemaVersion == STRING
input.Body.properties.icon == STRING
input.Body.properties.threatAnalysisTactics[_] == STRING
input.Body.properties.threatAnalysisTechniques[_] == STRING
input.Body.properties.previewImages[_] == STRING
input.Body.properties.previewImagesDark[_] == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.metadataName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
OfficeConsents_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.consentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
OfficeConsents_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.consentId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
OfficeConsents_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Operations_List
valid {
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
}
ProductPackage_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.packageId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductPackages_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductSettings_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductSettings_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductSettings_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductSettings_Update
enum_SettingsKind := [ "Anomalies", "EyesOn", "EntityAnalytics", "Ueba" ]
valid {
input.Body.kind == enum_SettingsKind[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductTemplate_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.templateId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ProductTemplates_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$orderby == STRING
input.Qs.$search == STRING
input.Qs.$count == BOOLEAN
input.Qs.$top == INTEGER
input.Qs.$skip == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Reevaluate_Recommendation
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.recommendationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SecurityMLAnalyticsSettings_CreateOrUpdate
enum_SecurityMLAnalyticsSettingsKindEnum := [ "Anomaly" ]
valid {
input.Body.kind == enum_SecurityMLAnalyticsSettingsKindEnum[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsResourceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SecurityMLAnalyticsSettings_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsResourceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SecurityMLAnalyticsSettings_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.settingsResourceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SecurityMLAnalyticsSettings_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SentinelOnboardingStates_Create
valid {
input.Body.properties.customerManagedKey == BOOLEAN
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sentinelOnboardingStateName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SentinelOnboardingStates_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sentinelOnboardingStateName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SentinelOnboardingStates_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sentinelOnboardingStateName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SentinelOnboardingStates_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SourceControl_listRepositories
enum_RepositoryAccessKind := [ "OAuth", "PAT", "App" ]
valid {
input.Body.properties.repositoryAccess.kind == enum_RepositoryAccessKind[_]
input.Body.properties.repositoryAccess.code == STRING
input.Body.properties.repositoryAccess.state == STRING
input.Body.properties.repositoryAccess.clientId == STRING
input.Body.properties.repositoryAccess.token == STRING
input.Body.properties.repositoryAccess.installationId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SourceControls_Create
enum_ContentType := [ "AnalyticRule", "AutomationRule", "HuntingQuery", "Parser", "Playbook", "Workbook" ]
enum_RepoType := [ "Github", "AzureDevOps" ]
enum_RepositoryAccessKind := [ "OAuth", "PAT", "App" ]
valid {
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.repoType == enum_RepoType[_]
input.Body.properties.contentTypes[_] == enum_ContentType[_]
input.Body.properties.repository.url == STRING
input.Body.properties.repository.branch == STRING
input.Body.properties.repository.displayUrl == STRING
input.Body.properties.servicePrincipal.credentialsExpireOn == STRING
input.Body.properties.repositoryAccess.kind == enum_RepositoryAccessKind[_]
input.Body.properties.repositoryAccess.code == STRING
input.Body.properties.repositoryAccess.state == STRING
input.Body.properties.repositoryAccess.clientId == STRING
input.Body.properties.repositoryAccess.token == STRING
input.Body.properties.repositoryAccess.installationId == STRING
input.Body.properties.repositoryResourceInfo.webhook.rotateWebhookSecret == BOOLEAN
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sourceControlId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SourceControls_Delete
enum_RepositoryAccessKind := [ "OAuth", "PAT", "App" ]
valid {
input.Body.properties.repositoryAccess.kind == enum_RepositoryAccessKind[_]
input.Body.properties.repositoryAccess.code == STRING
input.Body.properties.repositoryAccess.state == STRING
input.Body.properties.repositoryAccess.clientId == STRING
input.Body.properties.repositoryAccess.token == STRING
input.Body.properties.repositoryAccess.installationId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sourceControlId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SourceControls_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.sourceControlId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
SourceControls_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicatorMetrics_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_AppendTags
valid {
input.Body.threatIntelligenceTags[_] == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.name == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_Create
valid {
input.Body.properties.threatIntelligenceTags[_] == STRING
input.Body.properties.lastUpdatedTimeUtc == STRING
input.Body.properties.source == STRING
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.indicatorTypes[_] == STRING
input.Body.properties.pattern == STRING
input.Body.properties.patternType == STRING
input.Body.properties.patternVersion == STRING
input.Body.properties.killChainPhases[_].killChainName == STRING
input.Body.properties.killChainPhases[_].phaseName == STRING
input.Body.properties.parsedPattern[_].patternTypeKey == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].valueType == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].value == STRING
input.Body.properties.externalId == STRING
input.Body.properties.createdByRef == STRING
input.Body.properties.defanged == BOOLEAN
input.Body.properties.externalLastUpdatedTimeUtc == STRING
input.Body.properties.externalReferences[_].description == STRING
input.Body.properties.externalReferences[_].externalId == STRING
input.Body.properties.externalReferences[_].sourceName == STRING
input.Body.properties.externalReferences[_].url == STRING
input.Body.properties.externalReferences[_].hashes.STRING == STRING
input.Body.properties.granularMarkings[_].language == STRING
input.Body.properties.granularMarkings[_].markingRef == INTEGER
input.Body.properties.granularMarkings[_].selectors[_] == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.revoked == BOOLEAN
input.Body.properties.confidence == INTEGER
input.Body.properties.objectMarkingRefs[_] == STRING
input.Body.properties.language == STRING
input.Body.properties.threatTypes[_] == STRING
input.Body.properties.validFrom == STRING
input.Body.properties.validUntil == STRING
input.Body.properties.created == STRING
input.Body.properties.modified == STRING
input.Body.properties.extensions.STRING == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.name == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_CreateIndicator
enum_ThreatIntelligenceResourceInnerKind := [ "indicator" ]
valid {
input.Body.properties.threatIntelligenceTags[_] == STRING
input.Body.properties.lastUpdatedTimeUtc == STRING
input.Body.properties.source == STRING
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.indicatorTypes[_] == STRING
input.Body.properties.pattern == STRING
input.Body.properties.patternType == STRING
input.Body.properties.patternVersion == STRING
input.Body.properties.killChainPhases[_].killChainName == STRING
input.Body.properties.killChainPhases[_].phaseName == STRING
input.Body.properties.parsedPattern[_].patternTypeKey == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].valueType == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].value == STRING
input.Body.properties.externalId == STRING
input.Body.properties.createdByRef == STRING
input.Body.properties.defanged == BOOLEAN
input.Body.properties.externalLastUpdatedTimeUtc == STRING
input.Body.properties.externalReferences[_].description == STRING
input.Body.properties.externalReferences[_].externalId == STRING
input.Body.properties.externalReferences[_].sourceName == STRING
input.Body.properties.externalReferences[_].url == STRING
input.Body.properties.externalReferences[_].hashes.STRING == STRING
input.Body.properties.granularMarkings[_].language == STRING
input.Body.properties.granularMarkings[_].markingRef == INTEGER
input.Body.properties.granularMarkings[_].selectors[_] == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.revoked == BOOLEAN
input.Body.properties.confidence == INTEGER
input.Body.properties.objectMarkingRefs[_] == STRING
input.Body.properties.language == STRING
input.Body.properties.threatTypes[_] == STRING
input.Body.properties.validFrom == STRING
input.Body.properties.validUntil == STRING
input.Body.properties.created == STRING
input.Body.properties.modified == STRING
input.Body.properties.extensions.STRING == STRING
input.Body.kind == enum_ThreatIntelligenceResourceInnerKind[_]
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.name == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.name == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_QueryIndicators
enum_ThreatIntelligenceSortingOrder := [ "unsorted", "ascending", "descending" ]
valid {
input.Body.pageSize == INTEGER
input.Body.minConfidence == INTEGER
input.Body.maxConfidence == INTEGER
input.Body.minValidUntil == STRING
input.Body.maxValidUntil == STRING
input.Body.includeDisabled == BOOLEAN
input.Body.sortBy[_].itemKey == STRING
input.Body.sortBy[_].sortOrder == enum_ThreatIntelligenceSortingOrder[_]
input.Body.sources[_] == STRING
input.Body.patternTypes[_] == STRING
input.Body.threatTypes[_] == STRING
input.Body.ids[_] == STRING
input.Body.keywords[_] == STRING
input.Body.skipToken == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicator_ReplaceTags
valid {
input.Body.properties.threatIntelligenceTags[_] == STRING
input.Body.properties.lastUpdatedTimeUtc == STRING
input.Body.properties.source == STRING
input.Body.properties.displayName == STRING
input.Body.properties.description == STRING
input.Body.properties.indicatorTypes[_] == STRING
input.Body.properties.pattern == STRING
input.Body.properties.patternType == STRING
input.Body.properties.patternVersion == STRING
input.Body.properties.killChainPhases[_].killChainName == STRING
input.Body.properties.killChainPhases[_].phaseName == STRING
input.Body.properties.parsedPattern[_].patternTypeKey == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].valueType == STRING
input.Body.properties.parsedPattern[_].patternTypeValues[_].value == STRING
input.Body.properties.externalId == STRING
input.Body.properties.createdByRef == STRING
input.Body.properties.defanged == BOOLEAN
input.Body.properties.externalLastUpdatedTimeUtc == STRING
input.Body.properties.externalReferences[_].description == STRING
input.Body.properties.externalReferences[_].externalId == STRING
input.Body.properties.externalReferences[_].sourceName == STRING
input.Body.properties.externalReferences[_].url == STRING
input.Body.properties.externalReferences[_].hashes.STRING == STRING
input.Body.properties.granularMarkings[_].language == STRING
input.Body.properties.granularMarkings[_].markingRef == INTEGER
input.Body.properties.granularMarkings[_].selectors[_] == STRING
input.Body.properties.labels[_] == STRING
input.Body.properties.revoked == BOOLEAN
input.Body.properties.confidence == INTEGER
input.Body.properties.objectMarkingRefs[_] == STRING
input.Body.properties.language == STRING
input.Body.properties.threatTypes[_] == STRING
input.Body.properties.validFrom == STRING
input.Body.properties.validUntil == STRING
input.Body.properties.created == STRING
input.Body.properties.modified == STRING
input.Body.properties.extensions.STRING == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.name == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligenceIndicators_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$filter == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.Qs.$orderby == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligence_Count
enum_ConditionClauseOperator := [ "Equals", "NotEquals", "LessThan", "LessThanEqual", "GreaterThan", "GreaterThanEqual", "StringContains", "StringNotContains", "StringStartsWith", "StringNotStartsWith", "StringEndsWith", "StringNotEndsWith", "StringIsEmpty", "IsNull", "IsTrue", "IsFalse", "ArrayContains", "ArrayNotContains", "OnOrAfterRelative", "AfterRelative", "OnOrBeforeRelative", "BeforeRelative", "OnOrAfterAbsolute", "AfterAbsolute", "OnOrBeforeAbsolute", "BeforeAbsolute" ]
enum_TiType := [ "main" ]
valid {
input.Body.properties.condition.clauses[_].field == STRING
input.Body.properties.condition.clauses[_].operator == enum_ConditionClauseOperator[_]
input.Body.properties.condition.clauses[_].values[_] == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.tiType == enum_TiType[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
ThreatIntelligence_Query
enum_ConditionClauseOperator := [ "Equals", "NotEquals", "LessThan", "LessThanEqual", "GreaterThan", "GreaterThanEqual", "StringContains", "StringNotContains", "StringStartsWith", "StringNotStartsWith", "StringEndsWith", "StringNotEndsWith", "StringIsEmpty", "IsNull", "IsTrue", "IsFalse", "ArrayContains", "ArrayNotContains", "OnOrAfterRelative", "AfterRelative", "OnOrBeforeRelative", "BeforeRelative", "OnOrAfterAbsolute", "AfterAbsolute", "OnOrBeforeAbsolute", "BeforeAbsolute" ]
enum_Connective := [ "And", "Or" ]
enum_QuerySortByDirection := [ "ASC", "DESC" ]
enum_TiType := [ "main" ]
valid {
input.Body.condition.stixObjectType == STRING
input.Body.condition.clauses[_].clauseConnective == enum_Connective[_]
input.Body.condition.clauses[_].field == STRING
input.Body.condition.clauses[_].operator == enum_ConditionClauseOperator[_]
input.Body.condition.clauses[_].values[_] == STRING
input.Body.condition.conditionConnective == enum_Connective[_]
input.Body.sortBy.direction == enum_QuerySortByDirection[_]
input.Body.sortBy.field == STRING
input.Body.maxPageSize == INTEGER
input.Body.minPageSize == INTEGER
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.tiType == enum_TiType[_]
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Update_Recommendation
enum_RecommendationState := [ "Active", "InProgress", "Dismissed", "CompletedByUser", "CompletedBySystem" ]
valid {
input.Body.properties.state == enum_RecommendationState[_]
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.recommendationId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WatchlistItems_CreateOrUpdate
valid {
input.Body.properties.watchlistItemType == STRING
input.Body.properties.watchlistItemId == STRING
input.Body.properties.tenantId == STRING
input.Body.properties.isDeleted == BOOLEAN
input.Body.properties.created == STRING
input.Body.properties.updated == STRING
input.Body.properties.createdBy.objectId == STRING
input.Body.properties.updatedBy.objectId == STRING
input.Body.properties.itemsKeyValue.STRING == STRING
input.Body.properties.entityMapping.STRING == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.ReqMap.watchlistItemId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WatchlistItems_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.ReqMap.watchlistItemId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WatchlistItems_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.ReqMap.watchlistItemId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WatchlistItems_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.Qs.api-version == STRING
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Watchlists_CreateOrUpdate
valid {
input.Body.properties.watchlistId == STRING
input.Body.properties.displayName == STRING
input.Body.properties.provider == STRING
input.Body.properties.source == STRING
input.Body.properties.created == STRING
input.Body.properties.updated == STRING
input.Body.properties.createdBy.objectId == STRING
input.Body.properties.updatedBy.objectId == STRING
input.Body.properties.description == STRING
input.Body.properties.watchlistType == STRING
input.Body.properties.watchlistAlias == STRING
input.Body.properties.isDeleted == BOOLEAN
input.Body.properties.labels[_] == STRING
input.Body.properties.defaultDuration == STRING
input.Body.properties.tenantId == STRING
input.Body.properties.numberOfLinesToSkip == INTEGER
input.Body.properties.rawContent == STRING
input.Body.properties.itemsSearchKey == STRING
input.Body.properties.contentType == STRING
input.Body.properties.uploadStatus == STRING
input.Body.etag == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Watchlists_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Watchlists_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.watchlistAlias == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Watchlists_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignmentJobs_Create
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignmentJobs_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.ReqMap.jobName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignmentJobs_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.ReqMap.jobName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignmentJobs_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.Qs.api-version == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignments_CreateOrUpdate
valid {
input.Body.properties.targetResourceName == STRING
input.Body.properties.items[_].resourceId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignments_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignments_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerAssignmentName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerAssignments_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerConfigurations_CreateOrUpdate
enum_WorkspaceManagerConfigurationPropertiesMode := [ "Enabled", "Disabled" ]
valid {
input.Body.properties.mode == enum_WorkspaceManagerConfigurationPropertiesMode[_]
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerConfigurationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerConfigurations_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerConfigurationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerConfigurations_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerConfigurationName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerConfigurations_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerGroups_CreateOrUpdate
valid {
input.Body.properties.description == STRING
input.Body.properties.displayName == STRING
input.Body.properties.memberResourceNames[_] == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerGroupName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerGroups_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerGroupName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerGroups_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerGroupName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerGroups_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerMembers_CreateOrUpdate
valid {
input.Body.properties.targetWorkspaceResourceId == STRING
input.Body.properties.targetWorkspaceTenantId == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerMemberName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerMembers_Delete
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerMemberName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerMembers_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.workspaceManagerMemberName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
WorkspaceManagerMembers_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.Qs.$orderby == STRING
input.Qs.$top == INTEGER
input.Qs.$skipToken == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
alertRule_TriggerRuleRun
valid {
input.Body.properties.executionTimeUtc == STRING
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
getTriggeredAnalyticsRuleRuns_List
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
triggeredAnalyticsRuleRun_Get
valid {
input.ReqMap.SubscriptionID == STRING
input.ReqMap.ResourceGroup == STRING
input.ReqMap.workspaceName == STRING
input.ReqMap.ruleRunId == STRING
input.Qs.api-version == STRING
input.ProviderMetadata.Region == STRING
input.ProviderMetadata.SubscriptionID == STRING
input.ProviderMetadata.ResourceGroup == STRING
}
Updated 7 months ago