Azure Graph Alerts are masked - how to unmask?

Alexander Georgiev 1 Reputation point
2021-06-22T07:50:41.94+00:00

Hi,

I am using the Azure CLI to query Security Alerts, which works fine, but the alert details are masked with asterisks, e.g.

[..]
      "ExtendedProperties": {
        "Alert Id": "************************************",
        "Client IP address": "***************",
        "Client IP location": "*************",
        "Client application": "**************************************",
        "Client hostname": "***********",
        "Client principal name": "*******************************",
        "Domain name": "********************",
        "Investigation steps": "******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
        "KillChainIntent": "*************",
        "Potential causes": "*************************************************",
        "resourceType": "************"
      },
[..]

You can reproduce this using for example "az graph query -q "securityresources | where type =~ 'microsoft.security/locations/alerts' | where properties.StartTimeUtc >= ago(1d) | where properties.Status in ('Active')" in the Cloudshell.

How can I unmask these or what setting is masking them?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,192 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,361 Reputation points Microsoft Employee
    2021-06-28T21:49:11.487+00:00

    @Alexander Georgiev
    Thank you for your post!

    • When it comes to getting Security Alerts, are you able to see the masked info within the Azure Portal?
    • Have you tried to using the az security alert CLI commands? Or even the alert resource type Graph API?

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.