Azure Graph Alerts are masked - how to unmask?

Question

Azure Graph Alerts are masked - how to unmask?

Alexander Georgiev 1

Hi,

I am using the Azure CLI to query Security Alerts, which works fine, but the alert details are masked with asterisks, e.g.

[..]
      "ExtendedProperties": {
        "Alert Id": "************************************",
        "Client IP address": "***************",
        "Client IP location": "*************",
        "Client application": "**************************************",
        "Client hostname": "***********",
        "Client principal name": "*******************************",
        "Domain name": "********************",
        "Investigation steps": "******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
        "KillChainIntent": "*************",
        "Potential causes": "*************************************************",
        "resourceType": "************"
      },
[..]

You can reproduce this using for example "az graph query -q "securityresources | where type =~ 'microsoft.security/locations/alerts' | where properties.StartTimeUtc >= ago(1d) | where properties.Status in ('Active')" in the Cloudshell.

How can I unmask these or what setting is masking them?

Deva-MSFT 2,271 Reputation points Microsoft Employee

2021-06-25T15:45:15.787+00:00

Adding right tags/teams to assist

1 answer

Your answer

Deva-MSFT 2,271 Reputation points Microsoft Employee

2021-06-25T15:45:15.787+00:00

Adding right tags/teams to assist

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Alexander Georgiev
Thank you for your post!

When it comes to getting Security Alerts, are you able to see the masked info within the Azure Portal?
Have you tried to using the az security alert CLI commands? Or even the alert resource type Graph API?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Alexander Georgiev 1 Reputation point

2021-06-29T07:52:27.037+00:00

Thank you so much!

The "az security alert" CLI in fact shows the values unmasked! (The REST API works as well, but is not suitable for my use case.)
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-06-29T17:00:48.663+00:00

@Alexander Georgiev
Thank you for the quick follow up on this and I'm glad that I was able to help resolve your issue!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Kawulijiang Alimu (Shanghai Wicresoft Co,.Ltd.) 0 Reputation points Microsoft External Staff

2023-08-07T08:18:25.1533333+00:00

Hi, I also get encountered the same issue . When I used the same quires from the portal, I get masked, but I can get the specified details with the Azure CLI.

How can I unmask the details I have got from the Azure Resource Graph explorer at the Azure portal?

Share via

Azure Graph Alerts are masked - how to unmask?

1 answer

Your answer