DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof
|
[ClassVersion("1.0.0.0"), FriendlyName("SCInsiderRiskPolicy")]
class MSFT_SCInsiderRiskPolicy : OMI_BaseResource { [Key, Description("Name of the insider risk policy.")] string Name; [Key, Description("Name of the scenario supported by the policy.")] string InsiderRiskScenario; [Write, Description("When turned on, we'll scan sources in your org (such as the Microsoft 365 audit log) to detect the same activities used by insider risk policies. Scans run daily and provide real-time insights that can help you set up and refine policies to ensure you're detecting the most relevant activities.")] Boolean IRASettingsEnabled; [Write, Description("For users who perform activities matching your insider risk policies, decide whether to show their actual names or use pseudonymized versions to mask their identities.")] Boolean Anonymization; [Write, Description("When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender.")] Boolean DLPUserRiskSync; [Write, Description("When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender.")] Boolean OptInIRMDataExport; [Write, Description("Insider risk management alert information is exportable to security information and event management (SIEM) services by using Office 365 Management Activity APIs. Turn this on to use these APIs to export insider risk alert details to other applications your organization might use to manage or aggregate insider risk data.")] Boolean RaiseAuditAlert; [Write, Description("Enable inline alert customization for all alert reviewers.")] Boolean InlineAlertPolicyCustomization; [Write, Description("Minimum number of daily events to boost score for unusual activity.")] String FileVolCutoffLimits; [Write, Description("Alert volume.")] String AlertVolume; [Write, Description("Risk score boosters indicator.")] Boolean AnomalyDetections; [Write, Description("Official documentation to come.")] Boolean CopyToPersonalCloud; [Write, Description("Device indicator.")] Boolean CopyToUSB; [Write, Description("Cumulative exfiltration detection indicator.")] Boolean CumulativeExfiltrationDetector; [Write, Description("Official documentation to come.")] Boolean EmailExternal; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedEmployeePatientData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedFamilyData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedHighVolumePatientData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedNeighbourData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedRestrictedData; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToChildAbuseSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToCriminalActivitySites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToCultSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToGamblingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToHackingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToHateIntoleranceSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToIllegalSoftwareSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToKeyloggerSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToLlmSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToMalwareSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToPhishingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToPornographySites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToUnallowedDomain; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToViolenceSites; [Write, Description("Device indicator.")] Boolean EpoCopyToClipboardFromSensitiveFile; [Write, Description("Device indicator.")] Boolean EpoCopyToNetworkShare; [Write, Description("Device indicator.")] Boolean EpoFileArchived; [Write, Description("Device indicator.")] Boolean EpoFileCopiedToRemoteDesktopSession; [Write, Description("Device indicator.")] Boolean EpoFileDeleted; [Write, Description("Device indicator.")] Boolean EpoFileDownloadedFromBlacklistedDomain; [Write, Description("Device indicator.")] Boolean EpoFileDownloadedFromEnterpriseDomain; [Write, Description("Device indicator.")] Boolean EpoFileRenamed; [Write, Description("Device indicator.")] Boolean EpoFileStagedToCentralLocation; [Write, Description("Device indicator.")] Boolean EpoHiddenFileCreated; [Write, Description("Device indicator.")] Boolean EpoRemovableMediaMount; [Write, Description("Device indicator.")] Boolean EpoSensitiveFileRead; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppDownload; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppFileDelete; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppFileSharing; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasActivityFromInfrequentCountry; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasImpossibleTravel; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleFailedLogins; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleStorageDeletion; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleVMCreation; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleVMDeletion; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousAdminActivities; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousCloudCreation; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousCloudTrailLoggingChange; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasTerminatedEmployeeActivity; [Write, Description("Office Indicator.")] Boolean OdbDownload; [Write, Description("Office Indicator.")] Boolean OdbSyncDownload; [Write, Description("Cumulative exfiltration detection indicator.")] Boolean PeerCumulativeExfiltrationDetector; [Write, Description("Physical access indicator.")] Boolean PhysicalAccess; [Write, Description("Risk score boosters indicator.")] Boolean PotentialHighImpactUser; [Write, Description("Official documentation to come.")] Boolean Print; [Write, Description("Risk score boosters indicator.")] Boolean PriorityUserGroupMember; [Write, Description("Microsoft Defender for Endpoint indicator.")] Boolean SecurityAlertDefenseEvasion; [Write, Description("Microsoft Defender for Endpoint indicator.")] Boolean SecurityAlertUnwantedSoftware; [Write, Description("Office Indicator.")] Boolean SpoAccessRequest; [Write, Description("Office Indicator.")] Boolean SpoApprovedAccess; [Write, Description("Office Indicator.")] Boolean SpoDownload; [Write, Description("Office Indicator.")] Boolean SpoDownloadV2; [Write, Description("Office Indicator.")] Boolean SpoFileAccessed; [Write, Description("Office Indicator.")] Boolean SpoFileDeleted; [Write, Description("Office Indicator.")] Boolean SpoFileDeletedFromFirstStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFileDeletedFromSecondStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFileLabelDowngraded; [Write, Description("Office Indicator.")] Boolean SpoFileLabelRemoved; [Write, Description("Office Indicator.")] Boolean SpoFileSharing; [Write, Description("Office Indicator.")] Boolean SpoFolderDeleted; [Write, Description("Office Indicator.")] Boolean SpoFolderDeletedFromFirstStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFolderDeletedFromSecondStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFolderSharing; [Write, Description("Office Indicator.")] Boolean SpoSiteExternalUserAdded; [Write, Description("Office Indicator.")] Boolean SpoSiteInternalUserAdded; [Write, Description("Office Indicator.")] Boolean SpoSiteLabelRemoved; [Write, Description("Office Indicator.")] Boolean SpoSiteSharing; [Write, Description("Office Indicator.")] Boolean SpoSyncDownload; [Write, Description("Office Indicator.")] Boolean TeamsChannelFileSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsChannelMemberAddedExternal; [Write, Description("Office Indicator.")] Boolean TeamsChatFileSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsFileDownload; [Write, Description("Office Indicator.")] Boolean TeamsFolderSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsMemberAddedExternal; [Write, Description("Office Indicator.")] Boolean TeamsSensitiveMessage; [Write, Description("Risk score boosters indicator.")] Boolean UserHistory; [Write, Description("AWS indicator.")] Boolean AWSS3BlockPublicAccessDisabled; [Write, Description("AWS indicator.")] Boolean AWSS3BucketDeleted; [Write, Description("AWS indicator.")] Boolean AWSS3PublicAccessEnabled; [Write, Description("AWS indicator.")] Boolean AWSS3ServerLoggingDisabled; [Write, Description("Azure indicator.")] Boolean AzureElevateAccessToAllSubscriptions; [Write, Description("Azure indicator.")] Boolean AzureResourceThreatProtectionSettingsUpdated; [Write, Description("Azure indicator.")] Boolean AzureSQLServerAuditingSettingsUpdated; [Write, Description("Azure indicator.")] Boolean AzureSQLServerFirewallRuleDeleted; [Write, Description("Azure indicator.")] Boolean AzureSQLServerFirewallRuleUpdated; [Write, Description("Azure indicator.")] Boolean AzureStorageAccountOrContainerDeleted; [Write, Description("Box indicator.")] Boolean BoxContentAccess; [Write, Description("Box indicator.")] Boolean BoxContentDelete; [Write, Description("Box indicator.")] Boolean BoxContentDownload; [Write, Description("Box indicator.")] Boolean BoxContentExternallyShared; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCFinancialRegulatoryRiskyTextSent; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCInappropriateContentSent; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCInappropriateImagesSent; [Write, Description("Dropbox indicator.")] Boolean DropboxContentAccess; [Write, Description("Dropbox indicator.")] Boolean DropboxContentDelete; [Write, Description("Dropbox indicator.")] Boolean DropboxContentDownload; [Write, Description("Dropbox indicator.")] Boolean DropboxContentExternallyShared; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentAccess; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentDelete; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentExternallyShared; [Write, Description("Power BI indicator.")] Boolean PowerBIDashboardsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsDownloaded; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsExported; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsViewed; [Write, Description("Power BI indicator.")] Boolean PowerBISemanticModelsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBISensitivityLabelDowngradedForArtifacts; [Write, Description("Power BI indicator.")] Boolean PowerBISensitivityLabelRemovedFromArtifacts; [Write, Description("Determines how far back a policy should go to detect user activity and is triggered when a user performs the first activity matching a policy.")] String HistoricTimeSpan; [Write, Description("Determines how long policies will actively detect activity for users and is triggered when a user performs the first activity matching a policy.")] String InScopeTimeSpan; [Write, Description("Integrate Microsoft Teams capabilities with insider risk case management to enhance collaboration with stakeholders. ")] Boolean EnableTeam; [Write, Description("Send a monthly email summarizing new analytics scan insights.")] Boolean AnalyticsNewInsightEnabled; [Write, Description("Send an email when analytics is turned off for your organization.")] Boolean AnalyticsTurnedOffEnabled; [Write, Description("Send a daily email when new high severity alerts are generated.")] Boolean HighSeverityAlertsEnabled; [Write, Description("Specifies the groups of high severity alerts to include. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators.")] String HighSeverityAlertsRoleGroups[]; [Write, Description("Send a weekly email summarizing policies that have unresolved warnings.")] Boolean PoliciesHealthEnabled; [Write, Description("Specifies the groups to notify with weekly email. Possible values are: InsiderRiskManagement and InsiderRiskManagementAdmins.")] String PoliciesHealthRoleGroups[]; [Write, Description("Send a notification email when the first alert is generated for a new policy.")] Boolean NotificationDetailsEnabled; [Write, Description("Specifies the groups to notify when the first alert is generated. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators.")] String NotificationDetailsRoleGroups[]; [Write, Description("Official documentation to come.")] Boolean ClipDeletionEnabled; [Write, Description("Official documentation to come.")] Boolean SessionRecordingEnabled; [Write, Description("Official documentation to come.")] String RecordingTimeframePreEventInSec; [Write, Description("Official documentation to come.")] String RecordingTimeframePostEventInSec; [Write, Description("Official documentation to come.")] String BandwidthCapInMb; [Write, Description("Official documentation to come.")] String OfflineRecordingStorageLimitInMb; [Write, Description("Determines if Adaptive Protection is enabled for Purview.")] Boolean AdaptiveProtectionEnabled; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionHighProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionHighProfileConfirmedIssue; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionMediumProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionMediumProfileConfirmedIssue; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionLowProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionLowProfileConfirmedIssue; [Write, Description("Official documentation to come.")] Boolean RetainSeverityAfterTriage; [Write, Description("Official documentation to come.")] UInt32 LookbackTimeSpan; [Write, Description("Official documentation to come.")] UInt32 ProfileInScopeTimeSpan; [Write, Description("Official documentation to come.")] UInt32 GPUUtilizationLimit; [Write, Description("Official documentation to come.")] UInt32 CPUUtilizationLimit; [Write, Description("Microsoft Defender for Endpoint alert statuses.")] String MDATPTriageStatus[]; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; |