Get Security Alerts (GET Collection)

Article
07/12/2016

Updated: July 12, 2016

Retrieves all alerts for the subscription. Alerts that originate from a specific VM (such as antimalware) will have an ID under the same RG as the VM; Alerts which are not related to a resource in the subscription, but are relevant in the entire subscription scope (such as Compromised Account Alert) will have an ID directly under the subscription score (no RG).

Request

Method	Request Uri
GET	https://<endpoint>/subscriptions/{subscriptionId}/providers/microsoft.Security/alerts?api-version={api-version}

Request Uri Parameters

Parameter	Description
subscriptionId	The subscription id
Api-version	The version of the Security RP protocol used for this request

Request Headers

Common request headers only.

Request body

None.

Response

Status code

If successful, the operation returns HTTP status code of 200 (OK).

Response body

{
    "value": [
        {
            "id": "/subscriptions/{id}/resourceGroups/{rg}/providers/Microsoft.Security/alerts/{id}",
            "name": "{id}",
            "type": "Microsoft.Security/alerts",
            "properties": {
                "state": "Active",
                "reportedTimeUtc": "2015-08-25T04:17:00Z",
                "providerName": "Alert Provider Name",
                "vendorName": "Vendor name",
                "alertName": "Alert Name",
                "detectedTimeUtc": "2015-08-23T00:00:00Z",
                "description": "Alert description",
                "remediationSteps": "…",
                "actionTaken": "Detected",
                "reportedSeverity": "Low",
                "compromisedEntity": "…",
                "associatedResource": "{associated resource id}",
                "extendedProperties": {
                }
            }
        },

   {
            "id": "/subscriptions/{id}/providers/Microsoft.Security/alerts/{id}",
            "name": "{id}",
            "type": "Microsoft.Security/alerts",
            "properties": {
                "state": "Active",
                "reportedTimeUtc": "2015-08-25T04:17:00Z",
                "providerName": "Alert Provider Name",
                "vendorName": "Vendor name",
                "alertDisplayName": "Display Name",
                "alertName": "Alert Name",
                "detectedTimeUtc": "2015-08-23T00:00:00Z",
                "description": "Alert description",
                "remediationSteps": "…",
                "actionTaken": "Detected",
                "reportedSeverity": "Low",
                "compromisedEntity": "…",
                "associatedResource": "{associated resource id}",
                "extendedProperties": {
                }
            }
        }
]}