From 315c0c1dea81a69b1754267a38d44d9fe758d97f Mon Sep 17 00:00:00 2001
From: Moran Raz Mizrahi <t-momizr@microsoft.com>
Date: Sun, 30 Aug 2020 15:04:43 +0300
Subject: [PATCH 1/4] added incident entities operation

---
 .../2019-01-01-preview/SecurityInsights.json  | 85 +++++++++++++++++++
 .../entities/GetAllIncidentEntities.json      | 35 ++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json

diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index 217a51c2fb4d..b2a5f36d6522 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -3099,6 +3099,54 @@
         }
       }
     },
+    "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": {
+      "post": {
+        "x-ms-examples": {
+          "Expand an entity": {
+            "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json"
+          }
+        },
+        "tags": [
+          "IncidentEntities"
+        ],
+        "description": "Gets all incident related entities.",
+        "operationId": "IncidentEntities_ListByIncident",
+        "parameters": [
+          {
+            "$ref": "#/parameters/ApiVersion"
+          },
+          {
+            "$ref": "#/parameters/SubscriptionId"
+          },
+          {
+            "$ref": "#/parameters/ResourceGroupName"
+          },
+          {
+            "$ref": "#/parameters/OperationalInsightsResourceProvider"
+          },
+          {
+            "$ref": "#/parameters/WorkspaceName"
+          },
+          {
+            "$ref": "#/parameters/IncidentId"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "OK",
+            "schema": {
+              "$ref": "#/definitions/IncidentEntitiesResponse"
+            }
+          },
+          "default": {
+            "description": "Error response describing why the operation failed.",
+            "schema": {
+              "$ref": "#/definitions/CloudError"
+            }
+          }
+        }
+      }
+    },
     "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations": {
       "get": {
         "x-ms-examples": {
@@ -6267,6 +6315,43 @@
       ],
       "type": "object"
     },
+    "IncidentEntitiesResponse": {
+      "description": "The incident related entities response.",
+      "properties": {
+        "entities": {
+          "description": "Array of the incident related entities.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/Entity"
+          }
+        },
+        "metaData": {
+          "description": "The metadata from the incident related entities results.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/IncidentEntitiesResultsMetadata"
+          }
+        }
+      }
+    },
+    "IncidentEntitiesResultsMetadata": {
+      "description": "Information of a specific aggregation in the incident related entities result.",
+      "properties": {
+        "count": {
+          "description": "Total number of aggregations of the given kind in the incident related entities result.",
+          "type": "integer"
+        },
+        "entityKind": {
+          "$ref": "#/definitions/EntityInnerKind",
+          "description": "The kind of the aggregated entity."
+        }
+      },
+      "required": [
+        "entityKind",
+        "count"
+      ],
+      "type": "object"
+    },
     "IncidentLabel": {
       "description": "Represents an incident label",
       "properties": {
diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json
new file mode 100644
index 000000000000..4db37d3eb932
--- /dev/null
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/examples/incidents/entities/GetAllIncidentEntities.json
@@ -0,0 +1,35 @@
+{
+  "parameters": {
+    "api-version": "2019-01-01-preview",
+    "subscriptionId": "d0cfe6b2-9ac0-4464-9919-dccaee2e48c0",
+    "resourceGroupName": "myRg",
+    "workspaceName": "myWorkspace",
+    "operationalInsightsResourceProvider": "Microsoft.OperationalIinsights",
+    "incidentId": "afbd324f-6c48-459c-8710-8d1e1cd03812"
+  },
+  "responses": {
+    "200": {
+      "body": {
+        "entities": [
+          {
+            "id": "/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/e1d3d618-e11f-478b-98e3-bb381539a8e1",
+            "name": "e1d3d618-e11f-478b-98e3-bb381539a8e1",
+            "type": "Microsoft.SecurityInsights/Entities",
+            "kind": "Account",
+            "properties": {
+              "friendlyName": "administrator",
+              "accountName": "administrator",
+              "ntDomain": "domain"
+            }
+          }
+        ],
+        "metaData": [
+          {
+            "entityKind": "Account",
+            "count": 1
+          }
+        ]
+      }
+    }
+  }
+}

From 60ace98956d795c9ed0781530af9324964bb5d70 Mon Sep 17 00:00:00 2001
From: Moran Raz Mizrahi <t-momizr@microsoft.com>
Date: Sun, 30 Aug 2020 15:25:57 +0300
Subject: [PATCH 2/4] change example name

---
 .../preview/2019-01-01-preview/SecurityInsights.json            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index b2a5f36d6522..0c391b05e9b2 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -3102,7 +3102,7 @@
     "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{operationalInsightsResourceProvider}/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/entities": {
       "post": {
         "x-ms-examples": {
-          "Expand an entity": {
+          "Gets all incident related entities": {
             "$ref": "./examples/incidents/entities/GetAllIncidentEntities.json"
           }
         },

From 254d7979228ace4bbe6c6d9012c1c3d2df081861 Mon Sep 17 00:00:00 2001
From: Moran Raz Mizrahi <t-momizr@microsoft.com>
Date: Mon, 31 Aug 2020 12:36:04 +0300
Subject: [PATCH 3/4] change operationId

---
 .../preview/2019-01-01-preview/SecurityInsights.json            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index 0c391b05e9b2..6d9d56b35153 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -3110,7 +3110,7 @@
           "IncidentEntities"
         ],
         "description": "Gets all incident related entities.",
-        "operationId": "IncidentEntities_ListByIncident",
+        "operationId": "Incidents_ListOfEntities",
         "parameters": [
           {
             "$ref": "#/parameters/ApiVersion"

From ff34dfdb14dd2f83f4b8578b72b781c410468b31 Mon Sep 17 00:00:00 2001
From: Moran Raz Mizrahi <t-momizr@microsoft.com>
Date: Mon, 31 Aug 2020 14:12:03 +0300
Subject: [PATCH 4/4] add format to integer

---
 .../preview/2019-01-01-preview/SecurityInsights.json           | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
index 6d9d56b35153..9f8671b5855b 100644
--- a/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
+++ b/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json
@@ -6339,7 +6339,8 @@
       "properties": {
         "count": {
           "description": "Total number of aggregations of the given kind in the incident related entities result.",
-          "type": "integer"
+          "type": "integer",
+          "format": "int32"
         },
         "entityKind": {
           "$ref": "#/definitions/EntityInnerKind",