Skip to content

Commit

Permalink
Docs edits
Browse files Browse the repository at this point in the history
Signed-off-by: Ian Maddaus <ian.maddaus@progress.com>
  • Loading branch information
IanMadd committed Nov 2, 2021
1 parent 6d73c54 commit ecfa29a
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 81 deletions.
75 changes: 38 additions & 37 deletions docs/resources/azure_sentinel_incidents_resource.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,18 @@ platform: azure

# azure_sentinel_incidents_resource

Use the `azure_sentinel_incidents_resource` InSpec audit resource to test properties of an Azure sentinel_incident.
Use the `azure_sentinel_incidents_resource` InSpec audit resource to test properties of an Azure Azure Sentinel incident.

## Azure REST API version, endpoint, and HTTP client parameters
## Azure Rest API Version, Endpoint, And HTTP Client Parameters

This resource interacts with api versions supported by the resource provider.
This resource interacts with API versions supported by the resource provider.
The `api_version` can be defined as a resource parameter.
If not provided, the latest version will be used.
For more information, refer to [`azure_generic_resource`](azure_generic_resource.md).

Unless defined, `azure_cloud` global endpoint, and default values for the HTTP client will be used.
For more information, refer to the resource pack [README](../../README.md).
For api related info : [`Azure sentinel_incident Docs`](https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/get).
For api related info : [`Azure Azure Sentinel incident Docs`](https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/get).


## Availability
Expand All @@ -30,29 +30,30 @@ For an example `inspec.yml` file and how to set up your Azure credentials, refer

`resource_group` and `incident_id`, `workspace_name` must be given as parameters.

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: workspace_name, incident_id: incident_id) do
end
```
```ruby
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME', incident_id: 'INCIDENT_ID') do
#...
end
```

## Parameters

| Name | Description |
|--------------------------------|-----------------------------------------------------------------------------------|
| resource_group | Azure resource group that the targeted resource resides in. `MyResourceGroup` |
| workspace_name | Name for the Workspace that you want to create your sentinel_incident in.. |
| incident_id | The sentinel_incident Name. |
|--------------------------------|-----------------------------------------------------------------------------------|
| resource_group | Azure resource group that the targeted resource resides in. |
| workspace_name | Name for the workspace that you want to create your Azure Sentinel incident in. |
| incident_id | The Azure Sentinel incident name. |

All the parameter sets needs be provided for a valid query:
- `resource_group` , `workspace_name` and `incident_id`

## Properties

| Name | Description |
|--------------------------------|----------------------------------------------------------------------------------|
| name | Name of the Azure resource to test. `MyDf` |
| id | The sentinel_incident type. |
| properties | The Properties of the Resource. |
| name | Name of the Azure resource to test. |
| id | The Azure Sentinel incident type. |
| properties | The Properties of the Resource. |
| properties.severity | The severity of the incident | `properties.severity` |
| properties.status| The status of the incident | `properties.status` |
| properties.owner.email | The email of the user the incident is assigned to. | `properties.owner.email` |
Expand All @@ -61,43 +62,43 @@ All the parameter sets needs be provided for a valid query:

## Examples

### Test if properties matches
### Test The Properties of an Incident

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: workspace_name, incident_id: incident_id) do
it { should exist }
its('name') { should eq '0367ce89-78ad-4009-8d90-399fad24aabf' }
its('type') { should eq 'Microsoft.SecurityInsights/Incidents' }
its('properties.severity') { should eq 'Informational' }
its('properties.status') { should eq 'New' }
its('properties.owner.email') { should eq 'owner_email' }
its('properties.owner.userPrincipalName') { should eq 'samir.anand_progress.com#EXT#@getchef.onmicrosoft.com' }
its('properties.owner.assignedTo') { should eq 'owner_name' }
end
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME', incident_id: 'INCIDENT_ID') do
it { should exist }
its('name') { should eq 'AZURE_RESOURCE_NAME' }
its('type') { should eq 'Microsoft.SecurityInsights/Incidents' }
its('properties.severity') { should eq 'Informational' }
its('properties.status') { should eq 'New' }
its('properties.owner.email') { should eq 'OWNER_EMAIL' }
its('properties.owner.userPrincipalName') { should eq 'PRINCIPAL_NAME' }
its('properties.owner.assignedTo') { should eq 'OWNER_NAME' }
end
```


### Test that a sentinel_incident exists
### Test That An Azure Sentinel Incident Exists

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: workspace_name, incident_id: incident_id) do
it { should exist }
end
```
```ruby
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME', incident_id: 'INCIDENT_ID') do
it { should exist }
end
```

### Test that a sentinel_incident does not exist
### Test That An Azure Sentinel Incident Does Not Exist

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: workspace_name, incident_id: 'should not exit') do
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME', incident_id: 'INCIDENT_ID') do
it { should_not exist }
end
```

### Test properties of a sentinel_incident

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: workspace_name, incident_id: 'incident_id1') do
its('name') { should eq 'incident_id1' }
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME', incident_id: 'INCIDENT_ID') do
its('name') { should eq 'INCIDENT_ID' }
end
```

Expand Down
91 changes: 47 additions & 44 deletions docs/resources/azure_sentinel_incidents_resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,18 +5,18 @@ platform: azure

# azure_sentinel_incidents_resources

Use the `azure_sentinel_incidents_resources` InSpec audit resource to test properties related to sentinel_incident for a resource group or the entire subscription.
Use the `azure_sentinel_incidents_resources` InSpec audit resource to test properties of Azure Sentinel incidents for a resource group or the entire subscription.

## Azure REST API version, endpoint, and HTTP client parameters
## Azure Rest API Version, Endpoint, And HTTP Client Parameters

This resource interacts with api versions supported by the resource provider.
This resource interacts with API versions supported by the resource provider.
The `api_version` can be defined as a resource parameter.
If not provided, the latest version will be used.
For more information, refer to [`azure_generic_resource`](azure_generic_resource.md).

Unless defined, `azure_cloud` global endpoint, and default values for the HTTP client will be used.
For more information, refer to the resource pack [README](../../README.md).
For api related info : [`Azure sentinel_incident Docs`](https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list).

## Availability

### Installation
Expand All @@ -26,29 +26,30 @@ For an example `inspec.yml` file and how to set up your Azure credentials, refer

## Syntax

An `azure_sentinel_incidents_resources` resource block returns all Azure sentinel_incident, either within a Resource Group (if provided), or within an entire Subscription.
An `azure_sentinel_incidents_resources` resource block returns all Azure sentinel incident, either within a resource group (if provided), or within an entire Subscription.

```ruby
describe azure_sentinel_incidents_resources(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
#...
end
```

```ruby
describe azure_sentinel_incidents_resources(resource_group: 'example', workspace_name: 'fn') do
#...
end
```
`resource_group` and `workspace_name` must be given as parameters.
`resource_group` and `workspace_name` are required parameters.


## Parameters

| Name | Description |
|--------------------------------|-----------------------------------------------------------------------------------|
| resource_group | Azure resource group that the targeted resource resides in. `MyResourceGroup` |
| workspace_name | Azure Workspace Name for which sentinel_incident are being retrieved.|
|--------------------------------|-----------------------------------------------------------------------------------|
| resource_group | Azure resource group that the targeted resource resides in. |
| workspace_name | Azure Workspace Name for which Azure Sentinel incident are being retrieved.|

## Properties

| Property | Description | Filter Criteria<superscript>*</superscript> |
|-----------------|---------------------------------------------------------|-----------------|
|-----------------|---------------------------------------------------------|-----------------|
| names | A list of the unique resource names. | `name` |
| ids | A list of sentinel_incident IDs . | `id` |
| ids | A list of Azure Sentinel incident IDs . | `id` |
| properties | A list of properties for the resource | `properties` |
| descriptions | A list of descriptions for each resource | `description` |
| severities | The severity of the incident | `severity` |
Expand All @@ -61,38 +62,40 @@ An `azure_sentinel_incidents_resources` resource block returns all Azure sentine

## Examples

### Test if properties matches
### Test Properties of Incidents in a Resource Group

```ruby
describe azure_sentinel_incidents_resource(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
it { should exist }
its('names') { should include 'RESOURCE_NAME' }
its('types') { should include 'Microsoft.SecurityInsights/Incidents' }
its('titles') { should include 'TITLE' }
its('descriptions') { should include 'DESCRIPTION_TEXT' }
its('severities') { should include 'Informational' }
its('statuses') { should include 'New' }
its('owner_emails') { should include 'EMAIL_ADDRESS' }
its('owner_userPrincipalNames') { should include 'PRINCIPAL_NAME' }
its('owner_assignedTos') { should include 'ASSIGNED_TO_NAME' }
end
```

### Test If Any Azure Sentinel Incident Exists in a Resource Group

```ruby
describe azure_sentinel_incidents_resources(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
it { should exist }
end
```

### Test That There Aren't Any Azure Sentinel Incident in a Resource Group

```ruby
describe azure_sentinel_incidents_resource(resource_group: resource_group, workspace_name: 'workspace_name') do
it { should exist }
its('names') { should include '0367ce89-78ad-4009-8d90-399fad24aabf' }
its('types') { should include 'Microsoft.SecurityInsights/Incidents' }
its('titles') { should include 'test-ana' }
its('descriptions') { should include 'test-rule' }
its('severities') { should include 'Informational' }
its('statuses') { should include 'New' }
its('owner_emails') { should include 'mailid' }
its('owner_userPrincipalNames') { should include 'mail#EXT#@getchef.onmicrosoft.com' }
its('owner_assignedTos') { should include 'Name' }
end
# Should not exist if no Azure Sentinel incident are in the resource group
describe azure_sentinel_incidents_resources(resource_group: 'RESOURCE_GROUP', workspace_name: 'WORKSPACE_NAME') do
it { should_not exist }
end
```

### Test if any sentinel_incident exist in the resource group

```ruby
describe azure_sentinel_incidents_resources(resource_group: 'example', workspace_name: 'fn') do
it { should exist }
end
```
### Test that there aren't any sentinel_incident in a resource group

```ruby
# Should not exist if no sentinel_incident are in the resource group
describe azure_sentinel_incidents_resources(resource_group: 'example', workspace_name: 'fake') do
it { should_not exist }
end
```
## Azure Permissions

Your [Service Principal](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal) must be setup with a `contributor` role on the subscription you wish to test.

0 comments on commit ecfa29a

Please sign in to comment.