1package securityinsight 2 3// Copyright (c) Microsoft and contributors. All rights reserved. 4// 5// Licensed under the Apache License, Version 2.0 (the "License"); 6// you may not use this file except in compliance with the License. 7// You may obtain a copy of the License at 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// 14// See the License for the specific language governing permissions and 15// limitations under the License. 16// 17// Code generated by Microsoft (R) AutoRest Code Generator. 18// Changes may cause incorrect behavior and will be lost if the code is regenerated. 19 20// AlertRuleKind enumerates the values for alert rule kind. 21type AlertRuleKind string 22 23const ( 24 // AlertRuleKindAnomaly ... 25 AlertRuleKindAnomaly AlertRuleKind = "Anomaly" 26 // AlertRuleKindFusion ... 27 AlertRuleKindFusion AlertRuleKind = "Fusion" 28 // AlertRuleKindMicrosoftSecurityIncidentCreation ... 29 AlertRuleKindMicrosoftSecurityIncidentCreation AlertRuleKind = "MicrosoftSecurityIncidentCreation" 30 // AlertRuleKindMLBehaviorAnalytics ... 31 AlertRuleKindMLBehaviorAnalytics AlertRuleKind = "MLBehaviorAnalytics" 32 // AlertRuleKindScheduled ... 33 AlertRuleKindScheduled AlertRuleKind = "Scheduled" 34 // AlertRuleKindThreatIntelligence ... 35 AlertRuleKindThreatIntelligence AlertRuleKind = "ThreatIntelligence" 36) 37 38// PossibleAlertRuleKindValues returns an array of possible values for the AlertRuleKind const type. 39func PossibleAlertRuleKindValues() []AlertRuleKind { 40 return []AlertRuleKind{AlertRuleKindAnomaly, AlertRuleKindFusion, AlertRuleKindMicrosoftSecurityIncidentCreation, AlertRuleKindMLBehaviorAnalytics, AlertRuleKindScheduled, AlertRuleKindThreatIntelligence} 41} 42 43// AlertSeverity enumerates the values for alert severity. 44type AlertSeverity string 45 46const ( 47 // High High severity 48 High AlertSeverity = "High" 49 // Informational Informational severity 50 Informational AlertSeverity = "Informational" 51 // Low Low severity 52 Low AlertSeverity = "Low" 53 // Medium Medium severity 54 Medium AlertSeverity = "Medium" 55) 56 57// PossibleAlertSeverityValues returns an array of possible values for the AlertSeverity const type. 58func PossibleAlertSeverityValues() []AlertSeverity { 59 return []AlertSeverity{High, Informational, Low, Medium} 60} 61 62// AlertStatus enumerates the values for alert status. 63type AlertStatus string 64 65const ( 66 // AlertStatusDismissed Alert dismissed as false positive 67 AlertStatusDismissed AlertStatus = "Dismissed" 68 // AlertStatusInProgress Alert is being handled 69 AlertStatusInProgress AlertStatus = "InProgress" 70 // AlertStatusNew New alert 71 AlertStatusNew AlertStatus = "New" 72 // AlertStatusResolved Alert closed after handling 73 AlertStatusResolved AlertStatus = "Resolved" 74 // AlertStatusUnknown Unknown value 75 AlertStatusUnknown AlertStatus = "Unknown" 76) 77 78// PossibleAlertStatusValues returns an array of possible values for the AlertStatus const type. 79func PossibleAlertStatusValues() []AlertStatus { 80 return []AlertStatus{AlertStatusDismissed, AlertStatusInProgress, AlertStatusNew, AlertStatusResolved, AlertStatusUnknown} 81} 82 83// AntispamMailDirection enumerates the values for antispam mail direction. 84type AntispamMailDirection string 85 86const ( 87 // Inbound Inbound 88 Inbound AntispamMailDirection = "Inbound" 89 // Intraorg Intraorg 90 Intraorg AntispamMailDirection = "Intraorg" 91 // Outbound Outbound 92 Outbound AntispamMailDirection = "Outbound" 93 // Unknown Unknown 94 Unknown AntispamMailDirection = "Unknown" 95) 96 97// PossibleAntispamMailDirectionValues returns an array of possible values for the AntispamMailDirection const type. 98func PossibleAntispamMailDirectionValues() []AntispamMailDirection { 99 return []AntispamMailDirection{Inbound, Intraorg, Outbound, Unknown} 100} 101 102// AttackTactic enumerates the values for attack tactic. 103type AttackTactic string 104 105const ( 106 // Collection ... 107 Collection AttackTactic = "Collection" 108 // CommandAndControl ... 109 CommandAndControl AttackTactic = "CommandAndControl" 110 // CredentialAccess ... 111 CredentialAccess AttackTactic = "CredentialAccess" 112 // DefenseEvasion ... 113 DefenseEvasion AttackTactic = "DefenseEvasion" 114 // Discovery ... 115 Discovery AttackTactic = "Discovery" 116 // Execution ... 117 Execution AttackTactic = "Execution" 118 // Exfiltration ... 119 Exfiltration AttackTactic = "Exfiltration" 120 // Impact ... 121 Impact AttackTactic = "Impact" 122 // InitialAccess ... 123 InitialAccess AttackTactic = "InitialAccess" 124 // LateralMovement ... 125 LateralMovement AttackTactic = "LateralMovement" 126 // Persistence ... 127 Persistence AttackTactic = "Persistence" 128 // PreAttack ... 129 PreAttack AttackTactic = "PreAttack" 130 // PrivilegeEscalation ... 131 PrivilegeEscalation AttackTactic = "PrivilegeEscalation" 132) 133 134// PossibleAttackTacticValues returns an array of possible values for the AttackTactic const type. 135func PossibleAttackTacticValues() []AttackTactic { 136 return []AttackTactic{Collection, CommandAndControl, CredentialAccess, DefenseEvasion, Discovery, Execution, Exfiltration, Impact, InitialAccess, LateralMovement, Persistence, PreAttack, PrivilegeEscalation} 137} 138 139// CaseSeverity enumerates the values for case severity. 140type CaseSeverity string 141 142const ( 143 // CaseSeverityCritical Critical severity 144 CaseSeverityCritical CaseSeverity = "Critical" 145 // CaseSeverityHigh High severity 146 CaseSeverityHigh CaseSeverity = "High" 147 // CaseSeverityInformational Informational severity 148 CaseSeverityInformational CaseSeverity = "Informational" 149 // CaseSeverityLow Low severity 150 CaseSeverityLow CaseSeverity = "Low" 151 // CaseSeverityMedium Medium severity 152 CaseSeverityMedium CaseSeverity = "Medium" 153) 154 155// PossibleCaseSeverityValues returns an array of possible values for the CaseSeverity const type. 156func PossibleCaseSeverityValues() []CaseSeverity { 157 return []CaseSeverity{CaseSeverityCritical, CaseSeverityHigh, CaseSeverityInformational, CaseSeverityLow, CaseSeverityMedium} 158} 159 160// CaseStatus enumerates the values for case status. 161type CaseStatus string 162 163const ( 164 // CaseStatusClosed A non active case 165 CaseStatusClosed CaseStatus = "Closed" 166 // CaseStatusDraft Case that wasn't promoted yet to active 167 CaseStatusDraft CaseStatus = "Draft" 168 // CaseStatusInProgress An active case which is handled 169 CaseStatusInProgress CaseStatus = "InProgress" 170 // CaseStatusNew An active case which isn't handled currently 171 CaseStatusNew CaseStatus = "New" 172) 173 174// PossibleCaseStatusValues returns an array of possible values for the CaseStatus const type. 175func PossibleCaseStatusValues() []CaseStatus { 176 return []CaseStatus{CaseStatusClosed, CaseStatusDraft, CaseStatusInProgress, CaseStatusNew} 177} 178 179// CloseReason enumerates the values for close reason. 180type CloseReason string 181 182const ( 183 // Dismissed Case was dismissed 184 Dismissed CloseReason = "Dismissed" 185 // FalsePositive Case was false positive 186 FalsePositive CloseReason = "FalsePositive" 187 // Other Case was closed for another reason 188 Other CloseReason = "Other" 189 // Resolved Case was resolved 190 Resolved CloseReason = "Resolved" 191 // TruePositive Case was true positive 192 TruePositive CloseReason = "TruePositive" 193) 194 195// PossibleCloseReasonValues returns an array of possible values for the CloseReason const type. 196func PossibleCloseReasonValues() []CloseReason { 197 return []CloseReason{Dismissed, FalsePositive, Other, Resolved, TruePositive} 198} 199 200// ConfidenceLevel enumerates the values for confidence level. 201type ConfidenceLevel string 202 203const ( 204 // ConfidenceLevelHigh High confidence that the alert is true positive malicious 205 ConfidenceLevelHigh ConfidenceLevel = "High" 206 // ConfidenceLevelLow Low confidence, meaning we have some doubts this is indeed malicious or part of an 207 // attack 208 ConfidenceLevelLow ConfidenceLevel = "Low" 209 // ConfidenceLevelUnknown Unknown confidence, the is the default value 210 ConfidenceLevelUnknown ConfidenceLevel = "Unknown" 211) 212 213// PossibleConfidenceLevelValues returns an array of possible values for the ConfidenceLevel const type. 214func PossibleConfidenceLevelValues() []ConfidenceLevel { 215 return []ConfidenceLevel{ConfidenceLevelHigh, ConfidenceLevelLow, ConfidenceLevelUnknown} 216} 217 218// ConfidenceScoreStatus enumerates the values for confidence score status. 219type ConfidenceScoreStatus string 220 221const ( 222 // Final Final score was calculated and available 223 Final ConfidenceScoreStatus = "Final" 224 // InProcess No score was set yet and calculation is in progress 225 InProcess ConfidenceScoreStatus = "InProcess" 226 // NotApplicable Score will not be calculated for this alert as it is not supported by virtual analyst 227 NotApplicable ConfidenceScoreStatus = "NotApplicable" 228 // NotFinal Score is calculated and shown as part of the alert, but may be updated again at a later time 229 // following the processing of additional data 230 NotFinal ConfidenceScoreStatus = "NotFinal" 231) 232 233// PossibleConfidenceScoreStatusValues returns an array of possible values for the ConfidenceScoreStatus const type. 234func PossibleConfidenceScoreStatusValues() []ConfidenceScoreStatus { 235 return []ConfidenceScoreStatus{Final, InProcess, NotApplicable, NotFinal} 236} 237 238// DataConnectorAuthorizationState enumerates the values for data connector authorization state. 239type DataConnectorAuthorizationState string 240 241const ( 242 // Invalid ... 243 Invalid DataConnectorAuthorizationState = "Invalid" 244 // Valid ... 245 Valid DataConnectorAuthorizationState = "Valid" 246) 247 248// PossibleDataConnectorAuthorizationStateValues returns an array of possible values for the DataConnectorAuthorizationState const type. 249func PossibleDataConnectorAuthorizationStateValues() []DataConnectorAuthorizationState { 250 return []DataConnectorAuthorizationState{Invalid, Valid} 251} 252 253// DataConnectorKind enumerates the values for data connector kind. 254type DataConnectorKind string 255 256const ( 257 // DataConnectorKindAmazonWebServicesCloudTrail ... 258 DataConnectorKindAmazonWebServicesCloudTrail DataConnectorKind = "AmazonWebServicesCloudTrail" 259 // DataConnectorKindAzureActiveDirectory ... 260 DataConnectorKindAzureActiveDirectory DataConnectorKind = "AzureActiveDirectory" 261 // DataConnectorKindAzureAdvancedThreatProtection ... 262 DataConnectorKindAzureAdvancedThreatProtection DataConnectorKind = "AzureAdvancedThreatProtection" 263 // DataConnectorKindAzureSecurityCenter ... 264 DataConnectorKindAzureSecurityCenter DataConnectorKind = "AzureSecurityCenter" 265 // DataConnectorKindDynamics365 ... 266 DataConnectorKindDynamics365 DataConnectorKind = "Dynamics365" 267 // DataConnectorKindMicrosoftCloudAppSecurity ... 268 DataConnectorKindMicrosoftCloudAppSecurity DataConnectorKind = "MicrosoftCloudAppSecurity" 269 // DataConnectorKindMicrosoftDefenderAdvancedThreatProtection ... 270 DataConnectorKindMicrosoftDefenderAdvancedThreatProtection DataConnectorKind = "MicrosoftDefenderAdvancedThreatProtection" 271 // DataConnectorKindOffice365 ... 272 DataConnectorKindOffice365 DataConnectorKind = "Office365" 273 // DataConnectorKindOfficeATP ... 274 DataConnectorKindOfficeATP DataConnectorKind = "OfficeATP" 275 // DataConnectorKindThreatIntelligence ... 276 DataConnectorKindThreatIntelligence DataConnectorKind = "ThreatIntelligence" 277 // DataConnectorKindThreatIntelligenceTaxii ... 278 DataConnectorKindThreatIntelligenceTaxii DataConnectorKind = "ThreatIntelligenceTaxii" 279) 280 281// PossibleDataConnectorKindValues returns an array of possible values for the DataConnectorKind const type. 282func PossibleDataConnectorKindValues() []DataConnectorKind { 283 return []DataConnectorKind{DataConnectorKindAmazonWebServicesCloudTrail, DataConnectorKindAzureActiveDirectory, DataConnectorKindAzureAdvancedThreatProtection, DataConnectorKindAzureSecurityCenter, DataConnectorKindDynamics365, DataConnectorKindMicrosoftCloudAppSecurity, DataConnectorKindMicrosoftDefenderAdvancedThreatProtection, DataConnectorKindOffice365, DataConnectorKindOfficeATP, DataConnectorKindThreatIntelligence, DataConnectorKindThreatIntelligenceTaxii} 284} 285 286// DataConnectorLicenseState enumerates the values for data connector license state. 287type DataConnectorLicenseState string 288 289const ( 290 // DataConnectorLicenseStateInvalid ... 291 DataConnectorLicenseStateInvalid DataConnectorLicenseState = "Invalid" 292 // DataConnectorLicenseStateUnknown ... 293 DataConnectorLicenseStateUnknown DataConnectorLicenseState = "Unknown" 294 // DataConnectorLicenseStateValid ... 295 DataConnectorLicenseStateValid DataConnectorLicenseState = "Valid" 296) 297 298// PossibleDataConnectorLicenseStateValues returns an array of possible values for the DataConnectorLicenseState const type. 299func PossibleDataConnectorLicenseStateValues() []DataConnectorLicenseState { 300 return []DataConnectorLicenseState{DataConnectorLicenseStateInvalid, DataConnectorLicenseStateUnknown, DataConnectorLicenseStateValid} 301} 302 303// DataTypeState enumerates the values for data type state. 304type DataTypeState string 305 306const ( 307 // Disabled ... 308 Disabled DataTypeState = "Disabled" 309 // Enabled ... 310 Enabled DataTypeState = "Enabled" 311) 312 313// PossibleDataTypeStateValues returns an array of possible values for the DataTypeState const type. 314func PossibleDataTypeStateValues() []DataTypeState { 315 return []DataTypeState{Disabled, Enabled} 316} 317 318// DeliveryAction enumerates the values for delivery action. 319type DeliveryAction string 320 321const ( 322 // DeliveryActionBlocked Blocked 323 DeliveryActionBlocked DeliveryAction = "Blocked" 324 // DeliveryActionDelivered Delivered 325 DeliveryActionDelivered DeliveryAction = "Delivered" 326 // DeliveryActionDeliveredAsSpam DeliveredAsSpam 327 DeliveryActionDeliveredAsSpam DeliveryAction = "DeliveredAsSpam" 328 // DeliveryActionReplaced Replaced 329 DeliveryActionReplaced DeliveryAction = "Replaced" 330 // DeliveryActionUnknown Unknown 331 DeliveryActionUnknown DeliveryAction = "Unknown" 332) 333 334// PossibleDeliveryActionValues returns an array of possible values for the DeliveryAction const type. 335func PossibleDeliveryActionValues() []DeliveryAction { 336 return []DeliveryAction{DeliveryActionBlocked, DeliveryActionDelivered, DeliveryActionDeliveredAsSpam, DeliveryActionReplaced, DeliveryActionUnknown} 337} 338 339// DeliveryLocation enumerates the values for delivery location. 340type DeliveryLocation string 341 342const ( 343 // DeliveryLocationDeletedFolder DeletedFolder 344 DeliveryLocationDeletedFolder DeliveryLocation = "DeletedFolder" 345 // DeliveryLocationDropped Dropped 346 DeliveryLocationDropped DeliveryLocation = "Dropped" 347 // DeliveryLocationExternal External 348 DeliveryLocationExternal DeliveryLocation = "External" 349 // DeliveryLocationFailed Failed 350 DeliveryLocationFailed DeliveryLocation = "Failed" 351 // DeliveryLocationForwarded Forwarded 352 DeliveryLocationForwarded DeliveryLocation = "Forwarded" 353 // DeliveryLocationInbox Inbox 354 DeliveryLocationInbox DeliveryLocation = "Inbox" 355 // DeliveryLocationJunkFolder JunkFolder 356 DeliveryLocationJunkFolder DeliveryLocation = "JunkFolder" 357 // DeliveryLocationQuarantine Quarantine 358 DeliveryLocationQuarantine DeliveryLocation = "Quarantine" 359 // DeliveryLocationUnknown Unknown 360 DeliveryLocationUnknown DeliveryLocation = "Unknown" 361) 362 363// PossibleDeliveryLocationValues returns an array of possible values for the DeliveryLocation const type. 364func PossibleDeliveryLocationValues() []DeliveryLocation { 365 return []DeliveryLocation{DeliveryLocationDeletedFolder, DeliveryLocationDropped, DeliveryLocationExternal, DeliveryLocationFailed, DeliveryLocationForwarded, DeliveryLocationInbox, DeliveryLocationJunkFolder, DeliveryLocationQuarantine, DeliveryLocationUnknown} 366} 367 368// ElevationToken enumerates the values for elevation token. 369type ElevationToken string 370 371const ( 372 // Default Default elevation token 373 Default ElevationToken = "Default" 374 // Full Full elevation token 375 Full ElevationToken = "Full" 376 // Limited Limited elevation token 377 Limited ElevationToken = "Limited" 378) 379 380// PossibleElevationTokenValues returns an array of possible values for the ElevationToken const type. 381func PossibleElevationTokenValues() []ElevationToken { 382 return []ElevationToken{Default, Full, Limited} 383} 384 385// EntitiesMatchingMethod enumerates the values for entities matching method. 386type EntitiesMatchingMethod string 387 388const ( 389 // All Grouping alerts into a single incident if all the entities match 390 All EntitiesMatchingMethod = "All" 391 // Custom Grouping alerts into a single incident if the selected entities match 392 Custom EntitiesMatchingMethod = "Custom" 393 // None Grouping all alerts triggered by this rule into a single incident 394 None EntitiesMatchingMethod = "None" 395) 396 397// PossibleEntitiesMatchingMethodValues returns an array of possible values for the EntitiesMatchingMethod const type. 398func PossibleEntitiesMatchingMethodValues() []EntitiesMatchingMethod { 399 return []EntitiesMatchingMethod{All, Custom, None} 400} 401 402// EntityKind enumerates the values for entity kind. 403type EntityKind string 404 405const ( 406 // EntityKindAccount Entity represents account in the system. 407 EntityKindAccount EntityKind = "Account" 408 // EntityKindAzureResource Entity represents azure resource in the system. 409 EntityKindAzureResource EntityKind = "AzureResource" 410 // EntityKindBookmark Entity represents bookmark in the system. 411 EntityKindBookmark EntityKind = "Bookmark" 412 // EntityKindCloudApplication Entity represents cloud application in the system. 413 EntityKindCloudApplication EntityKind = "CloudApplication" 414 // EntityKindDNSResolution Entity represents dns resolution in the system. 415 EntityKindDNSResolution EntityKind = "DnsResolution" 416 // EntityKindFile Entity represents file in the system. 417 EntityKindFile EntityKind = "File" 418 // EntityKindFileHash Entity represents file hash in the system. 419 EntityKindFileHash EntityKind = "FileHash" 420 // EntityKindHost Entity represents host in the system. 421 EntityKindHost EntityKind = "Host" 422 // EntityKindIoTDevice Entity represents IoT device in the system. 423 EntityKindIoTDevice EntityKind = "IoTDevice" 424 // EntityKindIP Entity represents ip in the system. 425 EntityKindIP EntityKind = "Ip" 426 // EntityKindMailbox Entity represents mailbox in the system. 427 EntityKindMailbox EntityKind = "Mailbox" 428 // EntityKindMailCluster Entity represents mail cluster in the system. 429 EntityKindMailCluster EntityKind = "MailCluster" 430 // EntityKindMailMessage Entity represents mail message in the system. 431 EntityKindMailMessage EntityKind = "MailMessage" 432 // EntityKindMalware Entity represents malware in the system. 433 EntityKindMalware EntityKind = "Malware" 434 // EntityKindProcess Entity represents process in the system. 435 EntityKindProcess EntityKind = "Process" 436 // EntityKindRegistryKey Entity represents registry key in the system. 437 EntityKindRegistryKey EntityKind = "RegistryKey" 438 // EntityKindRegistryValue Entity represents registry value in the system. 439 EntityKindRegistryValue EntityKind = "RegistryValue" 440 // EntityKindSecurityAlert Entity represents security alert in the system. 441 EntityKindSecurityAlert EntityKind = "SecurityAlert" 442 // EntityKindSecurityGroup Entity represents security group in the system. 443 EntityKindSecurityGroup EntityKind = "SecurityGroup" 444 // EntityKindSubmissionMail Entity represents submission mail in the system. 445 EntityKindSubmissionMail EntityKind = "SubmissionMail" 446 // EntityKindURL Entity represents url in the system. 447 EntityKindURL EntityKind = "Url" 448) 449 450// PossibleEntityKindValues returns an array of possible values for the EntityKind const type. 451func PossibleEntityKindValues() []EntityKind { 452 return []EntityKind{EntityKindAccount, EntityKindAzureResource, EntityKindBookmark, EntityKindCloudApplication, EntityKindDNSResolution, EntityKindFile, EntityKindFileHash, EntityKindHost, EntityKindIoTDevice, EntityKindIP, EntityKindMailbox, EntityKindMailCluster, EntityKindMailMessage, EntityKindMalware, EntityKindProcess, EntityKindRegistryKey, EntityKindRegistryValue, EntityKindSecurityAlert, EntityKindSecurityGroup, EntityKindSubmissionMail, EntityKindURL} 453} 454 455// EntityQueryKind enumerates the values for entity query kind. 456type EntityQueryKind string 457 458const ( 459 // Expansion ... 460 Expansion EntityQueryKind = "Expansion" 461 // Insight ... 462 Insight EntityQueryKind = "Insight" 463) 464 465// PossibleEntityQueryKindValues returns an array of possible values for the EntityQueryKind const type. 466func PossibleEntityQueryKindValues() []EntityQueryKind { 467 return []EntityQueryKind{Expansion, Insight} 468} 469 470// EntityTimelineKind enumerates the values for entity timeline kind. 471type EntityTimelineKind string 472 473const ( 474 // EntityTimelineKindActivity activity 475 EntityTimelineKindActivity EntityTimelineKind = "Activity" 476 // EntityTimelineKindBookmark bookmarks 477 EntityTimelineKindBookmark EntityTimelineKind = "Bookmark" 478 // EntityTimelineKindSecurityAlert security alerts 479 EntityTimelineKindSecurityAlert EntityTimelineKind = "SecurityAlert" 480) 481 482// PossibleEntityTimelineKindValues returns an array of possible values for the EntityTimelineKind const type. 483func PossibleEntityTimelineKindValues() []EntityTimelineKind { 484 return []EntityTimelineKind{EntityTimelineKindActivity, EntityTimelineKindBookmark, EntityTimelineKindSecurityAlert} 485} 486 487// EntityType enumerates the values for entity type. 488type EntityType string 489 490const ( 491 // EntityTypeAccount Entity represents account in the system. 492 EntityTypeAccount EntityType = "Account" 493 // EntityTypeAzureResource Entity represents azure resource in the system. 494 EntityTypeAzureResource EntityType = "AzureResource" 495 // EntityTypeCloudApplication Entity represents cloud application in the system. 496 EntityTypeCloudApplication EntityType = "CloudApplication" 497 // EntityTypeDNS Entity represents dns in the system. 498 EntityTypeDNS EntityType = "DNS" 499 // EntityTypeFile Entity represents file in the system. 500 EntityTypeFile EntityType = "File" 501 // EntityTypeFileHash Entity represents file hash in the system. 502 EntityTypeFileHash EntityType = "FileHash" 503 // EntityTypeHost Entity represents host in the system. 504 EntityTypeHost EntityType = "Host" 505 // EntityTypeHuntingBookmark Entity represents HuntingBookmark in the system. 506 EntityTypeHuntingBookmark EntityType = "HuntingBookmark" 507 // EntityTypeIoTDevice Entity represents IoT device in the system. 508 EntityTypeIoTDevice EntityType = "IoTDevice" 509 // EntityTypeIP Entity represents ip in the system. 510 EntityTypeIP EntityType = "IP" 511 // EntityTypeMailbox Entity represents mailbox in the system. 512 EntityTypeMailbox EntityType = "Mailbox" 513 // EntityTypeMailCluster Entity represents mail cluster in the system. 514 EntityTypeMailCluster EntityType = "MailCluster" 515 // EntityTypeMailMessage Entity represents mail message in the system. 516 EntityTypeMailMessage EntityType = "MailMessage" 517 // EntityTypeMalware Entity represents malware in the system. 518 EntityTypeMalware EntityType = "Malware" 519 // EntityTypeProcess Entity represents process in the system. 520 EntityTypeProcess EntityType = "Process" 521 // EntityTypeRegistryKey Entity represents registry key in the system. 522 EntityTypeRegistryKey EntityType = "RegistryKey" 523 // EntityTypeRegistryValue Entity represents registry value in the system. 524 EntityTypeRegistryValue EntityType = "RegistryValue" 525 // EntityTypeSecurityAlert Entity represents security alert in the system. 526 EntityTypeSecurityAlert EntityType = "SecurityAlert" 527 // EntityTypeSecurityGroup Entity represents security group in the system. 528 EntityTypeSecurityGroup EntityType = "SecurityGroup" 529 // EntityTypeSubmissionMail Entity represents submission mail in the system. 530 EntityTypeSubmissionMail EntityType = "SubmissionMail" 531 // EntityTypeURL Entity represents url in the system. 532 EntityTypeURL EntityType = "URL" 533) 534 535// PossibleEntityTypeValues returns an array of possible values for the EntityType const type. 536func PossibleEntityTypeValues() []EntityType { 537 return []EntityType{EntityTypeAccount, EntityTypeAzureResource, EntityTypeCloudApplication, EntityTypeDNS, EntityTypeFile, EntityTypeFileHash, EntityTypeHost, EntityTypeHuntingBookmark, EntityTypeIoTDevice, EntityTypeIP, EntityTypeMailbox, EntityTypeMailCluster, EntityTypeMailMessage, EntityTypeMalware, EntityTypeProcess, EntityTypeRegistryKey, EntityTypeRegistryValue, EntityTypeSecurityAlert, EntityTypeSecurityGroup, EntityTypeSubmissionMail, EntityTypeURL} 538} 539 540// EventGroupingAggregationKind enumerates the values for event grouping aggregation kind. 541type EventGroupingAggregationKind string 542 543const ( 544 // AlertPerResult ... 545 AlertPerResult EventGroupingAggregationKind = "AlertPerResult" 546 // SingleAlert ... 547 SingleAlert EventGroupingAggregationKind = "SingleAlert" 548) 549 550// PossibleEventGroupingAggregationKindValues returns an array of possible values for the EventGroupingAggregationKind const type. 551func PossibleEventGroupingAggregationKindValues() []EventGroupingAggregationKind { 552 return []EventGroupingAggregationKind{AlertPerResult, SingleAlert} 553} 554 555// FileHashAlgorithm enumerates the values for file hash algorithm. 556type FileHashAlgorithm string 557 558const ( 559 // FileHashAlgorithmMD5 MD5 hash type 560 FileHashAlgorithmMD5 FileHashAlgorithm = "MD5" 561 // FileHashAlgorithmSHA1 SHA1 hash type 562 FileHashAlgorithmSHA1 FileHashAlgorithm = "SHA1" 563 // FileHashAlgorithmSHA256 SHA256 hash type 564 FileHashAlgorithmSHA256 FileHashAlgorithm = "SHA256" 565 // FileHashAlgorithmSHA256AC SHA256 Authenticode hash type 566 FileHashAlgorithmSHA256AC FileHashAlgorithm = "SHA256AC" 567 // FileHashAlgorithmUnknown Unknown hash algorithm 568 FileHashAlgorithmUnknown FileHashAlgorithm = "Unknown" 569) 570 571// PossibleFileHashAlgorithmValues returns an array of possible values for the FileHashAlgorithm const type. 572func PossibleFileHashAlgorithmValues() []FileHashAlgorithm { 573 return []FileHashAlgorithm{FileHashAlgorithmMD5, FileHashAlgorithmSHA1, FileHashAlgorithmSHA256, FileHashAlgorithmSHA256AC, FileHashAlgorithmUnknown} 574} 575 576// GroupingEntityType enumerates the values for grouping entity type. 577type GroupingEntityType string 578 579const ( 580 // Account Account entity 581 Account GroupingEntityType = "Account" 582 // FileHash FileHash entity 583 FileHash GroupingEntityType = "FileHash" 584 // Host Host entity 585 Host GroupingEntityType = "Host" 586 // IP Ip entity 587 IP GroupingEntityType = "Ip" 588 // URL Url entity 589 URL GroupingEntityType = "Url" 590) 591 592// PossibleGroupingEntityTypeValues returns an array of possible values for the GroupingEntityType const type. 593func PossibleGroupingEntityTypeValues() []GroupingEntityType { 594 return []GroupingEntityType{Account, FileHash, Host, IP, URL} 595} 596 597// IncidentClassification enumerates the values for incident classification. 598type IncidentClassification string 599 600const ( 601 // IncidentClassificationBenignPositive Incident was benign positive 602 IncidentClassificationBenignPositive IncidentClassification = "BenignPositive" 603 // IncidentClassificationFalsePositive Incident was false positive 604 IncidentClassificationFalsePositive IncidentClassification = "FalsePositive" 605 // IncidentClassificationTruePositive Incident was true positive 606 IncidentClassificationTruePositive IncidentClassification = "TruePositive" 607 // IncidentClassificationUndetermined Incident classification was undetermined 608 IncidentClassificationUndetermined IncidentClassification = "Undetermined" 609) 610 611// PossibleIncidentClassificationValues returns an array of possible values for the IncidentClassification const type. 612func PossibleIncidentClassificationValues() []IncidentClassification { 613 return []IncidentClassification{IncidentClassificationBenignPositive, IncidentClassificationFalsePositive, IncidentClassificationTruePositive, IncidentClassificationUndetermined} 614} 615 616// IncidentClassificationReason enumerates the values for incident classification reason. 617type IncidentClassificationReason string 618 619const ( 620 // InaccurateData Classification reason was inaccurate data 621 InaccurateData IncidentClassificationReason = "InaccurateData" 622 // IncorrectAlertLogic Classification reason was incorrect alert logic 623 IncorrectAlertLogic IncidentClassificationReason = "IncorrectAlertLogic" 624 // SuspiciousActivity Classification reason was suspicious activity 625 SuspiciousActivity IncidentClassificationReason = "SuspiciousActivity" 626 // SuspiciousButExpected Classification reason was suspicious but expected 627 SuspiciousButExpected IncidentClassificationReason = "SuspiciousButExpected" 628) 629 630// PossibleIncidentClassificationReasonValues returns an array of possible values for the IncidentClassificationReason const type. 631func PossibleIncidentClassificationReasonValues() []IncidentClassificationReason { 632 return []IncidentClassificationReason{InaccurateData, IncorrectAlertLogic, SuspiciousActivity, SuspiciousButExpected} 633} 634 635// IncidentLabelType enumerates the values for incident label type. 636type IncidentLabelType string 637 638const ( 639 // System Label automatically created by the system 640 System IncidentLabelType = "System" 641 // User Label manually created by a user 642 User IncidentLabelType = "User" 643) 644 645// PossibleIncidentLabelTypeValues returns an array of possible values for the IncidentLabelType const type. 646func PossibleIncidentLabelTypeValues() []IncidentLabelType { 647 return []IncidentLabelType{System, User} 648} 649 650// IncidentSeverity enumerates the values for incident severity. 651type IncidentSeverity string 652 653const ( 654 // IncidentSeverityHigh High severity 655 IncidentSeverityHigh IncidentSeverity = "High" 656 // IncidentSeverityInformational Informational severity 657 IncidentSeverityInformational IncidentSeverity = "Informational" 658 // IncidentSeverityLow Low severity 659 IncidentSeverityLow IncidentSeverity = "Low" 660 // IncidentSeverityMedium Medium severity 661 IncidentSeverityMedium IncidentSeverity = "Medium" 662) 663 664// PossibleIncidentSeverityValues returns an array of possible values for the IncidentSeverity const type. 665func PossibleIncidentSeverityValues() []IncidentSeverity { 666 return []IncidentSeverity{IncidentSeverityHigh, IncidentSeverityInformational, IncidentSeverityLow, IncidentSeverityMedium} 667} 668 669// IncidentStatus enumerates the values for incident status. 670type IncidentStatus string 671 672const ( 673 // IncidentStatusActive An active incident which is being handled 674 IncidentStatusActive IncidentStatus = "Active" 675 // IncidentStatusClosed A non-active incident 676 IncidentStatusClosed IncidentStatus = "Closed" 677 // IncidentStatusNew An active incident which isn't being handled currently 678 IncidentStatusNew IncidentStatus = "New" 679) 680 681// PossibleIncidentStatusValues returns an array of possible values for the IncidentStatus const type. 682func PossibleIncidentStatusValues() []IncidentStatus { 683 return []IncidentStatus{IncidentStatusActive, IncidentStatusClosed, IncidentStatusNew} 684} 685 686// KillChainIntent enumerates the values for kill chain intent. 687type KillChainIntent string 688 689const ( 690 // KillChainIntentCollection Collection consists of techniques used to identify and gather information, 691 // such as sensitive files, from a target network prior to exfiltration. This category also covers 692 // locations on a system or network where the adversary may look for information to exfiltrate. 693 KillChainIntentCollection KillChainIntent = "Collection" 694 // KillChainIntentCommandAndControl The command and control tactic represents how adversaries communicate 695 // with systems under their control within a target network. 696 KillChainIntentCommandAndControl KillChainIntent = "CommandAndControl" 697 // KillChainIntentCredentialAccess Credential access represents techniques resulting in access to or 698 // control over system, domain, or service credentials that are used within an enterprise environment. 699 // Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts 700 // (local system administrator or domain users with administrator access) to use within the network. With 701 // sufficient access within a network, an adversary can create accounts for later use within the 702 // environment. 703 KillChainIntentCredentialAccess KillChainIntent = "CredentialAccess" 704 // KillChainIntentDefenseEvasion Defense evasion consists of techniques an adversary may use to evade 705 // detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques 706 // in other categories that have the added benefit of subverting a particular defense or mitigation. 707 KillChainIntentDefenseEvasion KillChainIntent = "DefenseEvasion" 708 // KillChainIntentDiscovery Discovery consists of techniques that allow the adversary to gain knowledge 709 // about the system and internal network. When adversaries gain access to a new system, they must orient 710 // themselves to what they now have control of and what benefits operating from that system give to their 711 // current objective or overall goals during the intrusion. The operating system provides many native tools 712 // that aid in this post-compromise information-gathering phase. 713 KillChainIntentDiscovery KillChainIntent = "Discovery" 714 // KillChainIntentExecution The execution tactic represents techniques that result in execution of 715 // adversary-controlled code on a local or remote system. This tactic is often used in conjunction with 716 // lateral movement to expand access to remote systems on a network. 717 KillChainIntentExecution KillChainIntent = "Execution" 718 // KillChainIntentExfiltration Exfiltration refers to techniques and attributes that result or aid in the 719 // adversary removing files and information from a target network. This category also covers locations on a 720 // system or network where the adversary may look for information to exfiltrate. 721 KillChainIntentExfiltration KillChainIntent = "Exfiltration" 722 // KillChainIntentExploitation Exploitation is the stage where an attacker manage to get foothold on the 723 // attacked resource. This stage is applicable not only for compute hosts, but also for resources such as 724 // user accounts, certificates etc. Adversaries will often be able to control the resource after this 725 // stage. 726 KillChainIntentExploitation KillChainIntent = "Exploitation" 727 // KillChainIntentImpact The impact intent primary objective is to directly reduce the availability or 728 // integrity of a system, service, or network; including manipulation of data to impact a business or 729 // operational process. This would often refer to techniques such as ransom-ware, defacement, data 730 // manipulation and others. 731 KillChainIntentImpact KillChainIntent = "Impact" 732 // KillChainIntentLateralMovement Lateral movement consists of techniques that enable an adversary to 733 // access and control remote systems on a network and could, but does not necessarily, include execution of 734 // tools on remote systems. The lateral movement techniques could allow an adversary to gather information 735 // from a system without needing additional tools, such as a remote access tool. An adversary can use 736 // lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, 737 // access to specific information or files, access to additional credentials, or to cause an effect. 738 KillChainIntentLateralMovement KillChainIntent = "LateralMovement" 739 // KillChainIntentPersistence Persistence is any access, action, or configuration change to a system that 740 // gives an adversary a persistent presence on that system. Adversaries will often need to maintain access 741 // to systems through interruptions such as system restarts, loss of credentials, or other failures that 742 // would require a remote access tool to restart or alternate backdoor for them to regain access. 743 KillChainIntentPersistence KillChainIntent = "Persistence" 744 // KillChainIntentPrivilegeEscalation Privilege escalation is the result of actions that allow an adversary 745 // to obtain a higher level of permissions on a system or network. Certain tools or actions require a 746 // higher level of privilege to work and are likely necessary at many points throughout an operation. User 747 // accounts with permissions to access specific systems or perform specific functions necessary for 748 // adversaries to achieve their objective may also be considered an escalation of privilege. 749 KillChainIntentPrivilegeEscalation KillChainIntent = "PrivilegeEscalation" 750 // KillChainIntentProbing Probing could be an attempt to access a certain resource regardless of a 751 // malicious intent or a failed attempt to gain access to a target system to gather information prior to 752 // exploitation. This step is usually detected as an attempt originating from outside the network in 753 // attempt to scan the target system and find a way in. 754 KillChainIntentProbing KillChainIntent = "Probing" 755 // KillChainIntentUnknown The default value. 756 KillChainIntentUnknown KillChainIntent = "Unknown" 757) 758 759// PossibleKillChainIntentValues returns an array of possible values for the KillChainIntent const type. 760func PossibleKillChainIntentValues() []KillChainIntent { 761 return []KillChainIntent{KillChainIntentCollection, KillChainIntentCommandAndControl, KillChainIntentCredentialAccess, KillChainIntentDefenseEvasion, KillChainIntentDiscovery, KillChainIntentExecution, KillChainIntentExfiltration, KillChainIntentExploitation, KillChainIntentImpact, KillChainIntentLateralMovement, KillChainIntentPersistence, KillChainIntentPrivilegeEscalation, KillChainIntentProbing, KillChainIntentUnknown} 762} 763 764// Kind enumerates the values for kind. 765type Kind string 766 767const ( 768 // KindAggregations ... 769 KindAggregations Kind = "Aggregations" 770 // KindCasesAggregation ... 771 KindCasesAggregation Kind = "CasesAggregation" 772) 773 774// PossibleKindValues returns an array of possible values for the Kind const type. 775func PossibleKindValues() []Kind { 776 return []Kind{KindAggregations, KindCasesAggregation} 777} 778 779// KindBasicAlertRule enumerates the values for kind basic alert rule. 780type KindBasicAlertRule string 781 782const ( 783 // KindAlertRule ... 784 KindAlertRule KindBasicAlertRule = "AlertRule" 785 // KindFusion ... 786 KindFusion KindBasicAlertRule = "Fusion" 787 // KindMicrosoftSecurityIncidentCreation ... 788 KindMicrosoftSecurityIncidentCreation KindBasicAlertRule = "MicrosoftSecurityIncidentCreation" 789 // KindMLBehaviorAnalytics ... 790 KindMLBehaviorAnalytics KindBasicAlertRule = "MLBehaviorAnalytics" 791 // KindScheduled ... 792 KindScheduled KindBasicAlertRule = "Scheduled" 793) 794 795// PossibleKindBasicAlertRuleValues returns an array of possible values for the KindBasicAlertRule const type. 796func PossibleKindBasicAlertRuleValues() []KindBasicAlertRule { 797 return []KindBasicAlertRule{KindAlertRule, KindFusion, KindMicrosoftSecurityIncidentCreation, KindMLBehaviorAnalytics, KindScheduled} 798} 799 800// KindBasicAlertRuleTemplate enumerates the values for kind basic alert rule template. 801type KindBasicAlertRuleTemplate string 802 803const ( 804 // KindBasicAlertRuleTemplateKindAlertRuleTemplate ... 805 KindBasicAlertRuleTemplateKindAlertRuleTemplate KindBasicAlertRuleTemplate = "AlertRuleTemplate" 806 // KindBasicAlertRuleTemplateKindFusion ... 807 KindBasicAlertRuleTemplateKindFusion KindBasicAlertRuleTemplate = "Fusion" 808 // KindBasicAlertRuleTemplateKindMicrosoftSecurityIncidentCreation ... 809 KindBasicAlertRuleTemplateKindMicrosoftSecurityIncidentCreation KindBasicAlertRuleTemplate = "MicrosoftSecurityIncidentCreation" 810 // KindBasicAlertRuleTemplateKindMLBehaviorAnalytics ... 811 KindBasicAlertRuleTemplateKindMLBehaviorAnalytics KindBasicAlertRuleTemplate = "MLBehaviorAnalytics" 812 // KindBasicAlertRuleTemplateKindScheduled ... 813 KindBasicAlertRuleTemplateKindScheduled KindBasicAlertRuleTemplate = "Scheduled" 814) 815 816// PossibleKindBasicAlertRuleTemplateValues returns an array of possible values for the KindBasicAlertRuleTemplate const type. 817func PossibleKindBasicAlertRuleTemplateValues() []KindBasicAlertRuleTemplate { 818 return []KindBasicAlertRuleTemplate{KindBasicAlertRuleTemplateKindAlertRuleTemplate, KindBasicAlertRuleTemplateKindFusion, KindBasicAlertRuleTemplateKindMicrosoftSecurityIncidentCreation, KindBasicAlertRuleTemplateKindMLBehaviorAnalytics, KindBasicAlertRuleTemplateKindScheduled} 819} 820 821// KindBasicDataConnector enumerates the values for kind basic data connector. 822type KindBasicDataConnector string 823 824const ( 825 // KindAmazonWebServicesCloudTrail ... 826 KindAmazonWebServicesCloudTrail KindBasicDataConnector = "AmazonWebServicesCloudTrail" 827 // KindAzureActiveDirectory ... 828 KindAzureActiveDirectory KindBasicDataConnector = "AzureActiveDirectory" 829 // KindAzureAdvancedThreatProtection ... 830 KindAzureAdvancedThreatProtection KindBasicDataConnector = "AzureAdvancedThreatProtection" 831 // KindAzureSecurityCenter ... 832 KindAzureSecurityCenter KindBasicDataConnector = "AzureSecurityCenter" 833 // KindDataConnector ... 834 KindDataConnector KindBasicDataConnector = "DataConnector" 835 // KindDynamics365 ... 836 KindDynamics365 KindBasicDataConnector = "Dynamics365" 837 // KindMicrosoftCloudAppSecurity ... 838 KindMicrosoftCloudAppSecurity KindBasicDataConnector = "MicrosoftCloudAppSecurity" 839 // KindMicrosoftDefenderAdvancedThreatProtection ... 840 KindMicrosoftDefenderAdvancedThreatProtection KindBasicDataConnector = "MicrosoftDefenderAdvancedThreatProtection" 841 // KindOffice365 ... 842 KindOffice365 KindBasicDataConnector = "Office365" 843 // KindOfficeATP ... 844 KindOfficeATP KindBasicDataConnector = "OfficeATP" 845 // KindThreatIntelligence ... 846 KindThreatIntelligence KindBasicDataConnector = "ThreatIntelligence" 847 // KindThreatIntelligenceTaxii ... 848 KindThreatIntelligenceTaxii KindBasicDataConnector = "ThreatIntelligenceTaxii" 849) 850 851// PossibleKindBasicDataConnectorValues returns an array of possible values for the KindBasicDataConnector const type. 852func PossibleKindBasicDataConnectorValues() []KindBasicDataConnector { 853 return []KindBasicDataConnector{KindAmazonWebServicesCloudTrail, KindAzureActiveDirectory, KindAzureAdvancedThreatProtection, KindAzureSecurityCenter, KindDataConnector, KindDynamics365, KindMicrosoftCloudAppSecurity, KindMicrosoftDefenderAdvancedThreatProtection, KindOffice365, KindOfficeATP, KindThreatIntelligence, KindThreatIntelligenceTaxii} 854} 855 856// KindBasicDataConnectorsCheckRequirements enumerates the values for kind basic data connectors check 857// requirements. 858type KindBasicDataConnectorsCheckRequirements string 859 860const ( 861 // KindBasicDataConnectorsCheckRequirementsKindAmazonWebServicesCloudTrail ... 862 KindBasicDataConnectorsCheckRequirementsKindAmazonWebServicesCloudTrail KindBasicDataConnectorsCheckRequirements = "AmazonWebServicesCloudTrail" 863 // KindBasicDataConnectorsCheckRequirementsKindAzureActiveDirectory ... 864 KindBasicDataConnectorsCheckRequirementsKindAzureActiveDirectory KindBasicDataConnectorsCheckRequirements = "AzureActiveDirectory" 865 // KindBasicDataConnectorsCheckRequirementsKindAzureAdvancedThreatProtection ... 866 KindBasicDataConnectorsCheckRequirementsKindAzureAdvancedThreatProtection KindBasicDataConnectorsCheckRequirements = "AzureAdvancedThreatProtection" 867 // KindBasicDataConnectorsCheckRequirementsKindAzureSecurityCenter ... 868 KindBasicDataConnectorsCheckRequirementsKindAzureSecurityCenter KindBasicDataConnectorsCheckRequirements = "AzureSecurityCenter" 869 // KindBasicDataConnectorsCheckRequirementsKindDataConnectorsCheckRequirements ... 870 KindBasicDataConnectorsCheckRequirementsKindDataConnectorsCheckRequirements KindBasicDataConnectorsCheckRequirements = "DataConnectorsCheckRequirements" 871 // KindBasicDataConnectorsCheckRequirementsKindDynamics365 ... 872 KindBasicDataConnectorsCheckRequirementsKindDynamics365 KindBasicDataConnectorsCheckRequirements = "Dynamics365" 873 // KindBasicDataConnectorsCheckRequirementsKindMicrosoftCloudAppSecurity ... 874 KindBasicDataConnectorsCheckRequirementsKindMicrosoftCloudAppSecurity KindBasicDataConnectorsCheckRequirements = "MicrosoftCloudAppSecurity" 875 // KindBasicDataConnectorsCheckRequirementsKindMicrosoftDefenderAdvancedThreatProtection ... 876 KindBasicDataConnectorsCheckRequirementsKindMicrosoftDefenderAdvancedThreatProtection KindBasicDataConnectorsCheckRequirements = "MicrosoftDefenderAdvancedThreatProtection" 877 // KindBasicDataConnectorsCheckRequirementsKindOfficeATP ... 878 KindBasicDataConnectorsCheckRequirementsKindOfficeATP KindBasicDataConnectorsCheckRequirements = "OfficeATP" 879 // KindBasicDataConnectorsCheckRequirementsKindThreatIntelligence ... 880 KindBasicDataConnectorsCheckRequirementsKindThreatIntelligence KindBasicDataConnectorsCheckRequirements = "ThreatIntelligence" 881 // KindBasicDataConnectorsCheckRequirementsKindThreatIntelligenceTaxii ... 882 KindBasicDataConnectorsCheckRequirementsKindThreatIntelligenceTaxii KindBasicDataConnectorsCheckRequirements = "ThreatIntelligenceTaxii" 883) 884 885// PossibleKindBasicDataConnectorsCheckRequirementsValues returns an array of possible values for the KindBasicDataConnectorsCheckRequirements const type. 886func PossibleKindBasicDataConnectorsCheckRequirementsValues() []KindBasicDataConnectorsCheckRequirements { 887 return []KindBasicDataConnectorsCheckRequirements{KindBasicDataConnectorsCheckRequirementsKindAmazonWebServicesCloudTrail, KindBasicDataConnectorsCheckRequirementsKindAzureActiveDirectory, KindBasicDataConnectorsCheckRequirementsKindAzureAdvancedThreatProtection, KindBasicDataConnectorsCheckRequirementsKindAzureSecurityCenter, KindBasicDataConnectorsCheckRequirementsKindDataConnectorsCheckRequirements, KindBasicDataConnectorsCheckRequirementsKindDynamics365, KindBasicDataConnectorsCheckRequirementsKindMicrosoftCloudAppSecurity, KindBasicDataConnectorsCheckRequirementsKindMicrosoftDefenderAdvancedThreatProtection, KindBasicDataConnectorsCheckRequirementsKindOfficeATP, KindBasicDataConnectorsCheckRequirementsKindThreatIntelligence, KindBasicDataConnectorsCheckRequirementsKindThreatIntelligenceTaxii} 888} 889 890// KindBasicEntity enumerates the values for kind basic entity. 891type KindBasicEntity string 892 893const ( 894 // KindAccount ... 895 KindAccount KindBasicEntity = "Account" 896 // KindAzureResource ... 897 KindAzureResource KindBasicEntity = "AzureResource" 898 // KindBookmark ... 899 KindBookmark KindBasicEntity = "Bookmark" 900 // KindCloudApplication ... 901 KindCloudApplication KindBasicEntity = "CloudApplication" 902 // KindDNSResolution ... 903 KindDNSResolution KindBasicEntity = "DnsResolution" 904 // KindEntity ... 905 KindEntity KindBasicEntity = "Entity" 906 // KindFile ... 907 KindFile KindBasicEntity = "File" 908 // KindFileHash ... 909 KindFileHash KindBasicEntity = "FileHash" 910 // KindHost ... 911 KindHost KindBasicEntity = "Host" 912 // KindIoTDevice ... 913 KindIoTDevice KindBasicEntity = "IoTDevice" 914 // KindIP ... 915 KindIP KindBasicEntity = "Ip" 916 // KindMailbox ... 917 KindMailbox KindBasicEntity = "Mailbox" 918 // KindMailCluster ... 919 KindMailCluster KindBasicEntity = "MailCluster" 920 // KindMailMessage ... 921 KindMailMessage KindBasicEntity = "MailMessage" 922 // KindMalware ... 923 KindMalware KindBasicEntity = "Malware" 924 // KindProcess ... 925 KindProcess KindBasicEntity = "Process" 926 // KindRegistryKey ... 927 KindRegistryKey KindBasicEntity = "RegistryKey" 928 // KindRegistryValue ... 929 KindRegistryValue KindBasicEntity = "RegistryValue" 930 // KindSecurityAlert ... 931 KindSecurityAlert KindBasicEntity = "SecurityAlert" 932 // KindSecurityGroup ... 933 KindSecurityGroup KindBasicEntity = "SecurityGroup" 934 // KindSubmissionMail ... 935 KindSubmissionMail KindBasicEntity = "SubmissionMail" 936 // KindURL ... 937 KindURL KindBasicEntity = "Url" 938) 939 940// PossibleKindBasicEntityValues returns an array of possible values for the KindBasicEntity const type. 941func PossibleKindBasicEntityValues() []KindBasicEntity { 942 return []KindBasicEntity{KindAccount, KindAzureResource, KindBookmark, KindCloudApplication, KindDNSResolution, KindEntity, KindFile, KindFileHash, KindHost, KindIoTDevice, KindIP, KindMailbox, KindMailCluster, KindMailMessage, KindMalware, KindProcess, KindRegistryKey, KindRegistryValue, KindSecurityAlert, KindSecurityGroup, KindSubmissionMail, KindURL} 943} 944 945// KindBasicEntityQuery enumerates the values for kind basic entity query. 946type KindBasicEntityQuery string 947 948const ( 949 // KindEntityQuery ... 950 KindEntityQuery KindBasicEntityQuery = "EntityQuery" 951 // KindExpansion ... 952 KindExpansion KindBasicEntityQuery = "Expansion" 953) 954 955// PossibleKindBasicEntityQueryValues returns an array of possible values for the KindBasicEntityQuery const type. 956func PossibleKindBasicEntityQueryValues() []KindBasicEntityQuery { 957 return []KindBasicEntityQuery{KindEntityQuery, KindExpansion} 958} 959 960// KindBasicEntityQueryItem enumerates the values for kind basic entity query item. 961type KindBasicEntityQueryItem string 962 963const ( 964 // KindEntityQueryItem ... 965 KindEntityQueryItem KindBasicEntityQueryItem = "EntityQueryItem" 966 // KindInsight ... 967 KindInsight KindBasicEntityQueryItem = "Insight" 968) 969 970// PossibleKindBasicEntityQueryItemValues returns an array of possible values for the KindBasicEntityQueryItem const type. 971func PossibleKindBasicEntityQueryItemValues() []KindBasicEntityQueryItem { 972 return []KindBasicEntityQueryItem{KindEntityQueryItem, KindInsight} 973} 974 975// KindBasicEntityTimelineItem enumerates the values for kind basic entity timeline item. 976type KindBasicEntityTimelineItem string 977 978const ( 979 // KindBasicEntityTimelineItemKindActivity ... 980 KindBasicEntityTimelineItemKindActivity KindBasicEntityTimelineItem = "Activity" 981 // KindBasicEntityTimelineItemKindBookmark ... 982 KindBasicEntityTimelineItemKindBookmark KindBasicEntityTimelineItem = "Bookmark" 983 // KindBasicEntityTimelineItemKindEntityTimelineItem ... 984 KindBasicEntityTimelineItemKindEntityTimelineItem KindBasicEntityTimelineItem = "EntityTimelineItem" 985 // KindBasicEntityTimelineItemKindSecurityAlert ... 986 KindBasicEntityTimelineItemKindSecurityAlert KindBasicEntityTimelineItem = "SecurityAlert" 987) 988 989// PossibleKindBasicEntityTimelineItemValues returns an array of possible values for the KindBasicEntityTimelineItem const type. 990func PossibleKindBasicEntityTimelineItemValues() []KindBasicEntityTimelineItem { 991 return []KindBasicEntityTimelineItem{KindBasicEntityTimelineItemKindActivity, KindBasicEntityTimelineItemKindBookmark, KindBasicEntityTimelineItemKindEntityTimelineItem, KindBasicEntityTimelineItemKindSecurityAlert} 992} 993 994// KindBasicSettings enumerates the values for kind basic settings. 995type KindBasicSettings string 996 997const ( 998 // KindEntityAnalytics ... 999 KindEntityAnalytics KindBasicSettings = "EntityAnalytics" 1000 // KindEyesOn ... 1001 KindEyesOn KindBasicSettings = "EyesOn" 1002 // KindSettings ... 1003 KindSettings KindBasicSettings = "Settings" 1004 // KindUeba ... 1005 KindUeba KindBasicSettings = "Ueba" 1006) 1007 1008// PossibleKindBasicSettingsValues returns an array of possible values for the KindBasicSettings const type. 1009func PossibleKindBasicSettingsValues() []KindBasicSettings { 1010 return []KindBasicSettings{KindEntityAnalytics, KindEyesOn, KindSettings, KindUeba} 1011} 1012 1013// KindBasicThreatIntelligenceInformation enumerates the values for kind basic threat intelligence information. 1014type KindBasicThreatIntelligenceInformation string 1015 1016const ( 1017 // KindIndicator ... 1018 KindIndicator KindBasicThreatIntelligenceInformation = "indicator" 1019 // KindThreatIntelligenceInformation ... 1020 KindThreatIntelligenceInformation KindBasicThreatIntelligenceInformation = "ThreatIntelligenceInformation" 1021) 1022 1023// PossibleKindBasicThreatIntelligenceInformationValues returns an array of possible values for the KindBasicThreatIntelligenceInformation const type. 1024func PossibleKindBasicThreatIntelligenceInformationValues() []KindBasicThreatIntelligenceInformation { 1025 return []KindBasicThreatIntelligenceInformation{KindIndicator, KindThreatIntelligenceInformation} 1026} 1027 1028// MicrosoftSecurityProductName enumerates the values for microsoft security product name. 1029type MicrosoftSecurityProductName string 1030 1031const ( 1032 // AzureActiveDirectoryIdentityProtection ... 1033 AzureActiveDirectoryIdentityProtection MicrosoftSecurityProductName = "Azure Active Directory Identity Protection" 1034 // AzureAdvancedThreatProtection ... 1035 AzureAdvancedThreatProtection MicrosoftSecurityProductName = "Azure Advanced Threat Protection" 1036 // AzureSecurityCenter ... 1037 AzureSecurityCenter MicrosoftSecurityProductName = "Azure Security Center" 1038 // AzureSecurityCenterforIoT ... 1039 AzureSecurityCenterforIoT MicrosoftSecurityProductName = "Azure Security Center for IoT" 1040 // MicrosoftCloudAppSecurity ... 1041 MicrosoftCloudAppSecurity MicrosoftSecurityProductName = "Microsoft Cloud App Security" 1042 // MicrosoftDefenderAdvancedThreatProtection ... 1043 MicrosoftDefenderAdvancedThreatProtection MicrosoftSecurityProductName = "Microsoft Defender Advanced Threat Protection" 1044 // Office365AdvancedThreatProtection ... 1045 Office365AdvancedThreatProtection MicrosoftSecurityProductName = "Office 365 Advanced Threat Protection" 1046) 1047 1048// PossibleMicrosoftSecurityProductNameValues returns an array of possible values for the MicrosoftSecurityProductName const type. 1049func PossibleMicrosoftSecurityProductNameValues() []MicrosoftSecurityProductName { 1050 return []MicrosoftSecurityProductName{AzureActiveDirectoryIdentityProtection, AzureAdvancedThreatProtection, AzureSecurityCenter, AzureSecurityCenterforIoT, MicrosoftCloudAppSecurity, MicrosoftDefenderAdvancedThreatProtection, Office365AdvancedThreatProtection} 1051} 1052 1053// OSFamily enumerates the values for os family. 1054type OSFamily string 1055 1056const ( 1057 // OSFamilyAndroid Host with Android operating system. 1058 OSFamilyAndroid OSFamily = "Android" 1059 // OSFamilyIOS Host with IOS operating system. 1060 OSFamilyIOS OSFamily = "IOS" 1061 // OSFamilyLinux Host with Linux operating system. 1062 OSFamilyLinux OSFamily = "Linux" 1063 // OSFamilyUnknown Host with Unknown operating system. 1064 OSFamilyUnknown OSFamily = "Unknown" 1065 // OSFamilyWindows Host with Windows operating system. 1066 OSFamilyWindows OSFamily = "Windows" 1067) 1068 1069// PossibleOSFamilyValues returns an array of possible values for the OSFamily const type. 1070func PossibleOSFamilyValues() []OSFamily { 1071 return []OSFamily{OSFamilyAndroid, OSFamilyIOS, OSFamilyLinux, OSFamilyUnknown, OSFamilyWindows} 1072} 1073 1074// OutputType enumerates the values for output type. 1075type OutputType string 1076 1077const ( 1078 // OutputTypeDate ... 1079 OutputTypeDate OutputType = "Date" 1080 // OutputTypeEntity ... 1081 OutputTypeEntity OutputType = "Entity" 1082 // OutputTypeNumber ... 1083 OutputTypeNumber OutputType = "Number" 1084 // OutputTypeString ... 1085 OutputTypeString OutputType = "String" 1086) 1087 1088// PossibleOutputTypeValues returns an array of possible values for the OutputType const type. 1089func PossibleOutputTypeValues() []OutputType { 1090 return []OutputType{OutputTypeDate, OutputTypeEntity, OutputTypeNumber, OutputTypeString} 1091} 1092 1093// RegistryHive enumerates the values for registry hive. 1094type RegistryHive string 1095 1096const ( 1097 // HKEYA HKEY_A 1098 HKEYA RegistryHive = "HKEY_A" 1099 // HKEYCLASSESROOT HKEY_CLASSES_ROOT 1100 HKEYCLASSESROOT RegistryHive = "HKEY_CLASSES_ROOT" 1101 // HKEYCURRENTCONFIG HKEY_CURRENT_CONFIG 1102 HKEYCURRENTCONFIG RegistryHive = "HKEY_CURRENT_CONFIG" 1103 // HKEYCURRENTUSER HKEY_CURRENT_USER 1104 HKEYCURRENTUSER RegistryHive = "HKEY_CURRENT_USER" 1105 // HKEYCURRENTUSERLOCALSETTINGS HKEY_CURRENT_USER_LOCAL_SETTINGS 1106 HKEYCURRENTUSERLOCALSETTINGS RegistryHive = "HKEY_CURRENT_USER_LOCAL_SETTINGS" 1107 // HKEYLOCALMACHINE HKEY_LOCAL_MACHINE 1108 HKEYLOCALMACHINE RegistryHive = "HKEY_LOCAL_MACHINE" 1109 // HKEYPERFORMANCEDATA HKEY_PERFORMANCE_DATA 1110 HKEYPERFORMANCEDATA RegistryHive = "HKEY_PERFORMANCE_DATA" 1111 // HKEYPERFORMANCENLSTEXT HKEY_PERFORMANCE_NLSTEXT 1112 HKEYPERFORMANCENLSTEXT RegistryHive = "HKEY_PERFORMANCE_NLSTEXT" 1113 // HKEYPERFORMANCETEXT HKEY_PERFORMANCE_TEXT 1114 HKEYPERFORMANCETEXT RegistryHive = "HKEY_PERFORMANCE_TEXT" 1115 // HKEYUSERS HKEY_USERS 1116 HKEYUSERS RegistryHive = "HKEY_USERS" 1117) 1118 1119// PossibleRegistryHiveValues returns an array of possible values for the RegistryHive const type. 1120func PossibleRegistryHiveValues() []RegistryHive { 1121 return []RegistryHive{HKEYA, HKEYCLASSESROOT, HKEYCURRENTCONFIG, HKEYCURRENTUSER, HKEYCURRENTUSERLOCALSETTINGS, HKEYLOCALMACHINE, HKEYPERFORMANCEDATA, HKEYPERFORMANCENLSTEXT, HKEYPERFORMANCETEXT, HKEYUSERS} 1122} 1123 1124// RegistryValueKind enumerates the values for registry value kind. 1125type RegistryValueKind string 1126 1127const ( 1128 // RegistryValueKindBinary Binary value type 1129 RegistryValueKindBinary RegistryValueKind = "Binary" 1130 // RegistryValueKindDWord DWord value type 1131 RegistryValueKindDWord RegistryValueKind = "DWord" 1132 // RegistryValueKindExpandString ExpandString value type 1133 RegistryValueKindExpandString RegistryValueKind = "ExpandString" 1134 // RegistryValueKindMultiString MultiString value type 1135 RegistryValueKindMultiString RegistryValueKind = "MultiString" 1136 // RegistryValueKindNone None 1137 RegistryValueKindNone RegistryValueKind = "None" 1138 // RegistryValueKindQWord QWord value type 1139 RegistryValueKindQWord RegistryValueKind = "QWord" 1140 // RegistryValueKindString String value type 1141 RegistryValueKindString RegistryValueKind = "String" 1142 // RegistryValueKindUnknown Unknown value type 1143 RegistryValueKindUnknown RegistryValueKind = "Unknown" 1144) 1145 1146// PossibleRegistryValueKindValues returns an array of possible values for the RegistryValueKind const type. 1147func PossibleRegistryValueKindValues() []RegistryValueKind { 1148 return []RegistryValueKind{RegistryValueKindBinary, RegistryValueKindDWord, RegistryValueKindExpandString, RegistryValueKindMultiString, RegistryValueKindNone, RegistryValueKindQWord, RegistryValueKindString, RegistryValueKindUnknown} 1149} 1150 1151// RelationNodeKind enumerates the values for relation node kind. 1152type RelationNodeKind string 1153 1154const ( 1155 // RelationNodeKindBookmark Bookmark node part of the relation 1156 RelationNodeKindBookmark RelationNodeKind = "Bookmark" 1157 // RelationNodeKindCase Case node part of the relation 1158 RelationNodeKindCase RelationNodeKind = "Case" 1159) 1160 1161// PossibleRelationNodeKindValues returns an array of possible values for the RelationNodeKind const type. 1162func PossibleRelationNodeKindValues() []RelationNodeKind { 1163 return []RelationNodeKind{RelationNodeKindBookmark, RelationNodeKindCase} 1164} 1165 1166// RelationTypes enumerates the values for relation types. 1167type RelationTypes string 1168 1169const ( 1170 // CasesToBookmarks Relations between cases and bookmarks 1171 CasesToBookmarks RelationTypes = "CasesToBookmarks" 1172) 1173 1174// PossibleRelationTypesValues returns an array of possible values for the RelationTypes const type. 1175func PossibleRelationTypesValues() []RelationTypes { 1176 return []RelationTypes{CasesToBookmarks} 1177} 1178 1179// SettingKind enumerates the values for setting kind. 1180type SettingKind string 1181 1182const ( 1183 // SettingKindEntityAnalytics ... 1184 SettingKindEntityAnalytics SettingKind = "EntityAnalytics" 1185 // SettingKindEyesOn ... 1186 SettingKindEyesOn SettingKind = "EyesOn" 1187 // SettingKindUeba ... 1188 SettingKindUeba SettingKind = "Ueba" 1189) 1190 1191// PossibleSettingKindValues returns an array of possible values for the SettingKind const type. 1192func PossibleSettingKindValues() []SettingKind { 1193 return []SettingKind{SettingKindEntityAnalytics, SettingKindEyesOn, SettingKindUeba} 1194} 1195 1196// Source enumerates the values for source. 1197type Source string 1198 1199const ( 1200 // Localfile ... 1201 Localfile Source = "Local file" 1202 // Remotestorage ... 1203 Remotestorage Source = "Remote storage" 1204) 1205 1206// PossibleSourceValues returns an array of possible values for the Source const type. 1207func PossibleSourceValues() []Source { 1208 return []Source{Localfile, Remotestorage} 1209} 1210 1211// TemplateStatus enumerates the values for template status. 1212type TemplateStatus string 1213 1214const ( 1215 // Available Alert rule template is available. 1216 Available TemplateStatus = "Available" 1217 // Installed Alert rule template installed. and can not use more then once 1218 Installed TemplateStatus = "Installed" 1219 // NotAvailable Alert rule template is not available 1220 NotAvailable TemplateStatus = "NotAvailable" 1221) 1222 1223// PossibleTemplateStatusValues returns an array of possible values for the TemplateStatus const type. 1224func PossibleTemplateStatusValues() []TemplateStatus { 1225 return []TemplateStatus{Available, Installed, NotAvailable} 1226} 1227 1228// ThreatIntelligenceResourceKind enumerates the values for threat intelligence resource kind. 1229type ThreatIntelligenceResourceKind string 1230 1231const ( 1232 // Indicator Entity represents threat intelligence indicator in the system. 1233 Indicator ThreatIntelligenceResourceKind = "indicator" 1234) 1235 1236// PossibleThreatIntelligenceResourceKindValues returns an array of possible values for the ThreatIntelligenceResourceKind const type. 1237func PossibleThreatIntelligenceResourceKindValues() []ThreatIntelligenceResourceKind { 1238 return []ThreatIntelligenceResourceKind{Indicator} 1239} 1240 1241// ThreatIntelligenceSortingCriteria enumerates the values for threat intelligence sorting criteria. 1242type ThreatIntelligenceSortingCriteria string 1243 1244const ( 1245 // Ascending ... 1246 Ascending ThreatIntelligenceSortingCriteria = "ascending" 1247 // Descending ... 1248 Descending ThreatIntelligenceSortingCriteria = "descending" 1249 // Unsorted ... 1250 Unsorted ThreatIntelligenceSortingCriteria = "unsorted" 1251) 1252 1253// PossibleThreatIntelligenceSortingCriteriaValues returns an array of possible values for the ThreatIntelligenceSortingCriteria const type. 1254func PossibleThreatIntelligenceSortingCriteriaValues() []ThreatIntelligenceSortingCriteria { 1255 return []ThreatIntelligenceSortingCriteria{Ascending, Descending, Unsorted} 1256} 1257 1258// TriggerOperator enumerates the values for trigger operator. 1259type TriggerOperator string 1260 1261const ( 1262 // Equal ... 1263 Equal TriggerOperator = "Equal" 1264 // GreaterThan ... 1265 GreaterThan TriggerOperator = "GreaterThan" 1266 // LessThan ... 1267 LessThan TriggerOperator = "LessThan" 1268 // NotEqual ... 1269 NotEqual TriggerOperator = "NotEqual" 1270) 1271 1272// PossibleTriggerOperatorValues returns an array of possible values for the TriggerOperator const type. 1273func PossibleTriggerOperatorValues() []TriggerOperator { 1274 return []TriggerOperator{Equal, GreaterThan, LessThan, NotEqual} 1275} 1276 1277// UebaDataSources enumerates the values for ueba data sources. 1278type UebaDataSources string 1279 1280const ( 1281 // AuditLogs ... 1282 AuditLogs UebaDataSources = "AuditLogs" 1283 // AzureActivity ... 1284 AzureActivity UebaDataSources = "AzureActivity" 1285 // SecurityEvent ... 1286 SecurityEvent UebaDataSources = "SecurityEvent" 1287 // SigninLogs ... 1288 SigninLogs UebaDataSources = "SigninLogs" 1289) 1290 1291// PossibleUebaDataSourcesValues returns an array of possible values for the UebaDataSources const type. 1292func PossibleUebaDataSourcesValues() []UebaDataSources { 1293 return []UebaDataSources{AuditLogs, AzureActivity, SecurityEvent, SigninLogs} 1294} 1295