DSCResources/MSFT_SCInsiderRiskPolicy/MSFT_SCInsiderRiskPolicy.schema.mof
|
[ClassVersion("1.0.0.1"), FriendlyName("SCInsiderRiskPolicy")]
class MSFT_SCInsiderRiskPolicy : OMI_BaseResource { [Key, Description("Name of the insider risk policy.")] string Name; [Key, Description("Name of the scenario supported by the policy.")] string InsiderRiskScenario; [Write, Description("When turned on, data is aggregated at tenant level and is shown as insights in Analytics reports.")] Boolean IRASettingsEnabled; [Write, Description("When turned on, if an email containing only a signature as attachment is sent to someone outside your org, your policies will attempt to ignore the activity when assigning risk scores, thereby helping reduce inessential alerts.")] Boolean EmailSignatureExclusionSettingsEnabled; [Write, Description("When turned on, data is aggregated at user level and is shown as insights in user activity summary of Data Loss Prevention, Communication Compliance and Microsoft Defender along with Advanced Hunting tables. Data sharing needs to be turned on along with this.")] Boolean UserAnalyticsSettingsEnabled; [Write, Description("For users who perform activities matching your insider risk policies, decide whether to show their actual names or use pseudonymized versions to mask their identities.")] Boolean Anonymization; [Write, Description("When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender.")] Boolean DLPUserRiskSync; [Write, Description("When turned on, admins with the correct permissions will be able to review user risk details from Insider Risk Management within other solutions such as Data Loss Prevention (DLP), Communication Compliance, and user entity pages in Microsoft Defender.")] Boolean OptInIRMDataExport; [Write, Description("Insider risk management alert information is exportable to security information and event management (SIEM) services by using Office 365 Management Activity APIs. Turn this on to use these APIs to export insider risk alert details to other applications your organization might use to manage or aggregate insider risk data.")] Boolean RaiseAuditAlert; [Write, Description("Enable inline alert customization for all alert reviewers.")] Boolean InlineAlertPolicyCustomization; [Write, Description("Minimum number of daily events to boost score for unusual activity.")] String FileVolCutoffLimits; [Write, Description("Alert volume.")] String AlertVolume; [Write, Description("Risk score boosters indicator.")] Boolean AnomalyDetections; [Write, Description("Policy indicators > Entering risky prompt in other AI apps")] Boolean AIAppRiskyPrompt; [Write, Description("Policy indicators > Entering prompt attacks in AI apps")] Boolean CCPromptShields; [Write, Description("Policy indicators > Receiving AI app responses containing protected materials")] Boolean CCProtectedMaterialDetection; [Write, Description("Policy indicators > Sending messages that contain specific sesitive info types")] Boolean CCSensitiveInformationType; [Write, Description("Policy indicators > Detect messages matched by specific Communication Compliance policies")] Boolean CCSupervisionRuleMatch; [Write, Description("Policy indicators > Potentially risky sign-in activity")] Boolean CompromisedSignInAlerts; [Write, Description("Policy indicators > User account potentially compromised")] Boolean CompromisedUserAlerts; [Write, Description("Policy indicators > Entering risky prompt in enterprise AI apps")] Boolean ConnectedAIAppRiskyPrompt; [Write, Description("Policy indicators > Receiving sensitive response from enterprise AI apps")] Boolean ConnectedAIAppSensitiveResponse; [Write, Description("Policy indicators > Entering risky prompt in Copilot")] Boolean CopilotRiskyPrompt; [Write, Description("Policy indicators > Receiving sensitive response from Copilot")] Boolean CopilotSensitiveResponse; [Write, Description("Policy indicators > Enabling external sharing of Microsoft Fabric data")] Boolean FabricExternalDataSharingSwitchEnabled; [Write, Description("Policy indicators > Generating alerts from selected DLP policies")] Boolean HighSeverityDlpRuleMatch; [Write, Description("Policy indicators > Deleting Microsoft Fabric lakehouses")] Boolean LakehouseArtifactDeleted; [Write, Description("Policy indicators > Sharing lakehouse data with people outside the organization")] Boolean LakehouseExternalDataShareCreated; [Write, Description("Policy indicators > Deleted lakehouse files or tables")] Boolean LakehouseFileOrBlobDeleted; [Write, Description("Policy indicators > Downgrading sensitivity labels of lakehouses")] Boolean LakehouseSensitivityLabelDowngraded; [Write, Description("Policy indicators > Removing sensitivity labels of lakehouses")] Boolean LakehouseSensitivityLabelRemoved; [Write, Description("Policy indicators > Files downloaded from the web")] Boolean NetworkDownloadFile; [Write, Description("Policy indicators > Sensitive text downloaded from the web")] Boolean NetworkDownloadText; [Write, Description("Policy indicators > Files uploaded to the web")] Boolean NetworkUploadFile; [Write, Description("Policy indicators > Sensitive text uploaded to the web")] Boolean NetworkUploadText; [Write, Description("Official documentation to come.")] Boolean CopyToPersonalCloud; [Write, Description("Device indicator.")] Boolean CopyToUSB; [Write, Description("Cumulative exfiltration detection indicator.")] Boolean CumulativeExfiltrationDetector; [Write, Description("Official documentation to come.")] Boolean EmailExternal; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedEmployeePatientData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedFamilyData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedHighVolumePatientData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedNeighbourData; [Write, Description("Health record access indicator.")] Boolean EmployeeAccessedRestrictedData; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToChildAbuseSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToCriminalActivitySites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToCultSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToGamblingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToHackingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToHateIntoleranceSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToIllegalSoftwareSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToKeyloggerSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToLlmSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToMalwareSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToPhishingSites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToPornographySites; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToUnallowedDomain; [Write, Description("Risky browsing indicator.")] Boolean EpoBrowseToViolenceSites; [Write, Description("Device indicator.")] Boolean EpoCopyToClipboardFromSensitiveFile; [Write, Description("Device indicator.")] Boolean EpoCopyToNetworkShare; [Write, Description("Device indicator.")] Boolean EpoFileArchived; [Write, Description("Device indicator.")] Boolean EpoFileCopiedToRemoteDesktopSession; [Write, Description("Device indicator.")] Boolean EpoFileDeleted; [Write, Description("Device indicator.")] Boolean EpoFileDownloadedFromBlacklistedDomain; [Write, Description("Device indicator.")] Boolean EpoFileDownloadedFromEnterpriseDomain; [Write, Description("Device indicator.")] Boolean EpoFileRenamed; [Write, Description("Device indicator.")] Boolean EpoFileStagedToCentralLocation; [Write, Description("Device indicator.")] Boolean EpoHiddenFileCreated; [Write, Description("Device indicator.")] Boolean EpoRemovableMediaMount; [Write, Description("Device indicator.")] Boolean EpoSensitiveFileRead; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppDownload; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppFileDelete; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean Mcas3rdPartyAppFileSharing; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasActivityFromInfrequentCountry; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasImpossibleTravel; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleFailedLogins; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleStorageDeletion; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleVMCreation; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasMultipleVMDeletion; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousAdminActivities; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousCloudCreation; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasSuspiciousCloudTrailLoggingChange; [Write, Description("Microsoft Defender for Cloud Apps indicator.")] Boolean McasTerminatedEmployeeActivity; [Write, Description("Office Indicator.")] Boolean OdbDownload; [Write, Description("Office Indicator.")] Boolean OdbSyncDownload; [Write, Description("Cumulative exfiltration detection indicator.")] Boolean PeerCumulativeExfiltrationDetector; [Write, Description("Physical access indicator.")] Boolean PhysicalAccess; [Write, Description("Risk score boosters indicator.")] Boolean PotentialHighImpactUser; [Write, Description("Official documentation to come.")] Boolean Print; [Write, Description("Risk score boosters indicator.")] Boolean PriorityUserGroupMember; [Write, Description("Microsoft Defender for Endpoint indicator.")] Boolean SecurityAlertDefenseEvasion; [Write, Description("Microsoft Defender for Endpoint indicator.")] Boolean SecurityAlertUnwantedSoftware; [Write, Description("Office Indicator.")] Boolean SpoAccessRequest; [Write, Description("Office Indicator.")] Boolean SpoApprovedAccess; [Write, Description("Office Indicator.")] Boolean SpoDownload; [Write, Description("Office Indicator.")] Boolean SpoDownloadV2; [Write, Description("Office Indicator.")] Boolean SpoFileAccessed; [Write, Description("Office Indicator.")] Boolean SpoFileDeleted; [Write, Description("Office Indicator.")] Boolean SpoFileDeletedFromFirstStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFileDeletedFromSecondStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFileLabelDowngraded; [Write, Description("Office Indicator.")] Boolean SpoFileLabelRemoved; [Write, Description("Office Indicator.")] Boolean SpoFileSharing; [Write, Description("Office Indicator.")] Boolean SpoFolderDeleted; [Write, Description("Office Indicator.")] Boolean SpoFolderDeletedFromFirstStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFolderDeletedFromSecondStageRecycleBin; [Write, Description("Office Indicator.")] Boolean SpoFolderSharing; [Write, Description("Office Indicator.")] Boolean SpoSiteExternalUserAdded; [Write, Description("Office Indicator.")] Boolean SpoSiteInternalUserAdded; [Write, Description("Office Indicator.")] Boolean SpoSiteLabelRemoved; [Write, Description("Office Indicator.")] Boolean SpoSiteSharing; [Write, Description("Office Indicator.")] Boolean SpoSyncDownload; [Write, Description("Office Indicator.")] Boolean TeamsChannelFileSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsChannelMemberAddedExternal; [Write, Description("Office Indicator.")] Boolean TeamsChatFileSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsFileDownload; [Write, Description("Office Indicator.")] Boolean TeamsFolderSharedExternal; [Write, Description("Office Indicator.")] Boolean TeamsMemberAddedExternal; [Write, Description("Office Indicator.")] Boolean TeamsSensitiveMessage; [Write, Description("Risk score boosters indicator.")] Boolean UserHistory; [Write, Description("AWS indicator.")] Boolean AWSS3BlockPublicAccessDisabled; [Write, Description("AWS indicator.")] Boolean AWSS3BucketDeleted; [Write, Description("AWS indicator.")] Boolean AWSS3PublicAccessEnabled; [Write, Description("AWS indicator.")] Boolean AWSS3ServerLoggingDisabled; [Write, Description("Azure indicator.")] Boolean AzureElevateAccessToAllSubscriptions; [Write, Description("Azure indicator.")] Boolean AzureResourceThreatProtectionSettingsUpdated; [Write, Description("Azure indicator.")] Boolean AzureSQLServerAuditingSettingsUpdated; [Write, Description("Azure indicator.")] Boolean AzureSQLServerFirewallRuleDeleted; [Write, Description("Azure indicator.")] Boolean AzureSQLServerFirewallRuleUpdated; [Write, Description("Azure indicator.")] Boolean AzureStorageAccountOrContainerDeleted; [Write, Description("Box indicator.")] Boolean BoxContentAccess; [Write, Description("Box indicator.")] Boolean BoxContentDelete; [Write, Description("Box indicator.")] Boolean BoxContentDownload; [Write, Description("Box indicator.")] Boolean BoxContentExternallyShared; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCFinancialRegulatoryRiskyTextSent; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCInappropriateContentSent; [Write, Description("Detect messages matching specific trainable classifiers.")] Boolean CCInappropriateImagesSent; [Write, Description("Dropbox indicator.")] Boolean DropboxContentAccess; [Write, Description("Dropbox indicator.")] Boolean DropboxContentDelete; [Write, Description("Dropbox indicator.")] Boolean DropboxContentDownload; [Write, Description("Dropbox indicator.")] Boolean DropboxContentExternallyShared; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentAccess; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentDelete; [Write, Description("Google Drive indicator.")] Boolean GoogleDriveContentExternallyShared; [Write, Description("Power BI indicator.")] Boolean PowerBIDashboardsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsDownloaded; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsExported; [Write, Description("Power BI indicator.")] Boolean PowerBIReportsViewed; [Write, Description("Power BI indicator.")] Boolean PowerBISemanticModelsDeleted; [Write, Description("Power BI indicator.")] Boolean PowerBISensitivityLabelDowngradedForArtifacts; [Write, Description("Power BI indicator.")] Boolean PowerBISensitivityLabelRemovedFromArtifacts; [Write, Description("Determines how far back a policy should go to detect user activity and is triggered when a user performs the first activity matching a policy.")] String HistoricTimeSpan; [Write, Description("Determines how long policies will actively detect activity for users and is triggered when a user performs the first activity matching a policy.")] String InScopeTimeSpan; [Write, Description("Integrate Microsoft Teams capabilities with insider risk case management to enhance collaboration with stakeholders. ")] Boolean EnableTeam; [Write, Description("Send a monthly email summarizing new analytics scan insights.")] Boolean AnalyticsNewInsightEnabled; [Write, Description("Send an email when analytics is turned off for your organization.")] Boolean AnalyticsTurnedOffEnabled; [Write, Description("Send a daily email when new high severity alerts are generated.")] Boolean HighSeverityAlertsEnabled; [Write, Description("Specifies the groups of high severity alerts to include. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators.")] String HighSeverityAlertsRoleGroups[]; [Write, Description("Send a weekly email summarizing policies that have unresolved warnings.")] Boolean PoliciesHealthEnabled; [Write, Description("Specifies the groups to notify with weekly email. Possible values are: InsiderRiskManagement and InsiderRiskManagementAdmins.")] String PoliciesHealthRoleGroups[]; [Write, Description("Send a notification email when the first alert is generated for a new policy.")] Boolean NotificationDetailsEnabled; [Write, Description("Specifies the groups to notify when the first alert is generated. Possible values are: InsiderRiskManagement, InsiderRiskManagementAnalysts, and InsiderRiskManagementInvestigators.")] String NotificationDetailsRoleGroups[]; [Write, Description("Official documentation to come.")] Boolean ClipDeletionEnabled; [Write, Description("Official documentation to come.")] Boolean SessionRecordingEnabled; [Write, Description("Official documentation to come.")] String RecordingTimeframePreEventInSec; [Write, Description("Official documentation to come.")] String RecordingTimeframePostEventInSec; [Write, Description("Official documentation to come.")] String BandwidthCapInMb; [Write, Description("Official documentation to come.")] String OfflineRecordingStorageLimitInMb; [Write, Description("Determines if Adaptive Protection is enabled for Purview.")] Boolean AdaptiveProtectionEnabled; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionHighProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionHighProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionHighProfileConfirmedIssue; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionMediumProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionMediumProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionMediumProfileConfirmedIssue; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileSourceType; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileConfirmedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileGeneratedIssueSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileInsightSeverity; [Write, Description("Official documentation to come.")] UInt32 AdaptiveProtectionLowProfileInsightCount; [Write, Description("Official documentation to come.")] String AdaptiveProtectionLowProfileInsightTypes[]; [Write, Description("Official documentation to come.")] Boolean AdaptiveProtectionLowProfileConfirmedIssue; [Write, Description("Official documentation to come.")] Boolean RetainSeverityAfterTriage; [Write, Description("Official documentation to come.")] UInt32 LookbackTimeSpan; [Write, Description("Official documentation to come.")] UInt32 ProfileInScopeTimeSpan; [Write, Description("Official documentation to come.")] UInt32 GPUUtilizationLimit; [Write, Description("Official documentation to come.")] UInt32 CPUUtilizationLimit; [Write, Description("Microsoft Defender for Endpoint alert statuses.")] String MDATPTriageStatus[]; [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; |