Alerts - List By Resource Group

List all the alerts that are associated with the resource group

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts?api-version=2022-01-01

URI Parameters

Name In Required Type Description
resourceGroupName
path True
  • string

The name of the resource group within the user's subscription. The name is case insensitive.

Regex pattern: ^[-\w\._\(\)]+$

subscriptionId
path True
  • string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version
query True
  • string

API version for the operation

Responses

Name Type Description
200 OK

OK

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get security alerts on a resource group

Sample Request

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/alerts?api-version=2022-01-01

Sample Response

{
  "value": [
    {
      "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
      "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
      "type": "Microsoft.Security/Locations/alerts",
      "properties": {
        "version": "2022-01-01",
        "alertType": "VM_EICAR",
        "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
        "productComponentName": "testName",
        "alertDisplayName": "Azure Security Center test alert (not a threat)",
        "description": "This is a test alert generated by Azure Security Center. No further action is needed.",
        "severity": "High",
        "intent": "Execution",
        "startTimeUtc": "2020-02-22T00:00:00.0000000Z",
        "endTimeUtc": "2020-02-22T00:00:00.0000000Z",
        "resourceIdentifiers": [
          {
            "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
            "type": "AzureResource"
          },
          {
            "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
            "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
            "workspaceResourceGroup": "myRg1",
            "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
            "type": "LogAnalytics"
          }
        ],
        "remediationSteps": [
          "No further action is needed."
        ],
        "vendorName": "Microsoft",
        "status": "Active",
        "extendedLinks": [
          {
            "Category": "threat_reports",
            "Label": "Report: RDP Brute Forcing",
            "Href": "https://contoso.com/reports/DisplayReport",
            "Type": "webLink"
          }
        ],
        "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
        "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z",
        "productName": "Azure Security Center",
        "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z",
        "entities": [
          {
            "address": "192.0.2.1",
            "location": {
              "countryCode": "gb",
              "state": "wokingham",
              "city": "sonning",
              "longitude": -0.909,
              "latitude": 51.468,
              "asn": 6584
            },
            "type": "ip"
          }
        ],
        "isIncident": true,
        "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=",
        "extendedProperties": {
          "Property1": "Property1 information"
        },
        "compromisedEntity": "vm1",
        "techniques": [
          "T1059",
          "T1053",
          "T1072"
        ],
        "subTechniques": [
          "T1059.001",
          "T1059.006",
          "T1053.002"
        ],
        "supportingEvidence": {
          "supportingEvidenceList": [
            {
              "evidenceElements": [
                {
                  "text": {
                    "arguments": {
                      "sensitiveEnumerationTypes": {
                        "type": "string[]",
                        "value": [
                          "UseDesKey"
                        ]
                      },
                      "domainName": {
                        "type": "string",
                        "value": "domainName"
                      }
                    },
                    "localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
                    "fallback": "Actor enumerated UseDesKey on domain1.test.local"
                  },
                  "type": "evidenceElement",
                  "innerElements": null
                }
              ],
              "type": "nestedList"
            },
            {
              "type": "tabularEvidences",
              "title": "Investigate activity test",
              "columns": [
                "Date",
                "Activity",
                "User",
                "TestedText",
                "TestedValue"
              ],
              "rows": [
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser",
                  "false",
                  false
                ],
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser2",
                  "false",
                  false
                ],
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser3",
                  "true",
                  true
                ]
              ]
            }
          ],
          "type": "supportingEvidenceList"
        }
      }
    }
  ]
}

Definitions

Alert

Security alert

AlertEntity

Changing set of properties depending on the entity type.

AlertList

List of security alerts

alertSeverity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

alertStatus

The life cycle status of the alert.

AzureResourceIdentifier

Azure resource identifier.

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

CloudErrorBody

The error detail.

ErrorAdditionalInfo

The resource management error additional info.

intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

LogAnalyticsIdentifier

Represents a Log Analytics workspace scope identifier.

SupportingEvidence

Changing set of properties depending on the supportingEvidence type.

Alert

Security alert

Name Type Description
id
  • string

Resource Id

name
  • string

Resource name

properties.alertDisplayName
  • string

The display name of the alert.

properties.alertType
  • string

Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType).

properties.alertUri
  • string

A direct link to the alert page in Azure Portal.

properties.compromisedEntity
  • string

The display name of the resource most related to this alert.

properties.correlationKey
  • string

Key for corelating related alerts. Alerts with the same correlation key considered to be related.

properties.description
  • string

Description of the suspicious activity that was detected.

properties.endTimeUtc
  • string

The UTC time of the last event or activity included in the alert in ISO8601 format.

properties.entities

A list of entities related to the alert.

properties.extendedLinks
  • object[]

Links related to the alert

properties.extendedProperties
  • object

Custom properties for the alert.

properties.intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

properties.isIncident
  • boolean

This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert.

properties.processingEndTimeUtc
  • string

The UTC processing end time of the alert in ISO8601 format.

properties.productComponentName
  • string

The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing

properties.productName
  • string

The name of the product which published this alert (Azure Security Center, Azure ATP, Microsoft Defender ATP, O365 ATP, MCAS, and so on).

properties.remediationSteps
  • string[]

Manual action items to take to remediate the alert.

properties.resourceIdentifiers ResourceIdentifier[]:

The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.

properties.severity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

properties.startTimeUtc
  • string

The UTC time of the first event or activity included in the alert in ISO8601 format.

properties.status

The life cycle status of the alert.

properties.subTechniques
  • string[]

Kill chain related sub-techniques behind the alert.

properties.supportingEvidence

Changing set of properties depending on the supportingEvidence type.

properties.systemAlertId
  • string

Unique identifier for the alert.

properties.techniques
  • string[]

kill chain related techniques behind the alert.

properties.timeGeneratedUtc
  • string

The UTC time the alert was generated in ISO8601 format.

properties.vendorName
  • string

The name of the vendor that raises the alert.

properties.version
  • string

Schema version.

type
  • string

Resource type

AlertEntity

Changing set of properties depending on the entity type.

Name Type Description
type
  • string

Type of entity

AlertList

List of security alerts

Name Type Description
nextLink
  • string

The URI to fetch the next page.

value

describes security alert properties.

alertSeverity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

Name Type Description
High
  • string

High

Informational
  • string

Informational

Low
  • string

Low

Medium
  • string

Medium

alertStatus

The life cycle status of the alert.

Name Type Description
Active
  • string

An alert which doesn't specify a value is assigned the status 'Active'

Dismissed
  • string

Alert dismissed as false positive

InProgress
  • string

An alert which is in handling state

Resolved
  • string

Alert closed after handling

AzureResourceIdentifier

Azure resource identifier.

Name Type Description
azureResourceId
  • string

ARM resource identifier for the cloud resource being alerted on

type string:
  • AzureResource

There can be multiple identifiers of different type per alert, this field specify the identifier type.

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name Type Description
error.additionalInfo

The error additional info.

error.code
  • string

The error code.

error.details

The error details.

error.message
  • string

The error message.

error.target
  • string

The error target.

CloudErrorBody

The error detail.

Name Type Description
additionalInfo

The error additional info.

code
  • string

The error code.

details

The error details.

message
  • string

The error message.

target
  • string

The error target.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info
  • object

The additional info.

type
  • string

The additional info type.

intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

Name Type Description
Collection
  • string

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.

CommandAndControl
  • string

The command and control tactic represents how adversaries communicate with systems under their control within a target network.

CredentialAccess
  • string

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.

DefenseEvasion
  • string

Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses.

Discovery
  • string

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.

Execution
  • string

The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system.

Exfiltration
  • string

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.

Exploitation
  • string

Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc.

Impact
  • string

Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process.

InitialAccess
  • string

InitialAccess is the stage where an attacker manages to get foothold on the attacked resource.

LateralMovement
  • string

Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.

Persistence
  • string

Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system.

PreAttack
  • string

PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and find a way in. Further details on the PreAttack stage can be read in MITRE Pre-Att&ck matrix.

PrivilegeEscalation
  • string

Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network.

Probing
  • string

Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation.

Unknown
  • string

Unknown

LogAnalyticsIdentifier

Represents a Log Analytics workspace scope identifier.

Name Type Description
agentId
  • string

(optional) The LogAnalytics agent id reporting the event that this alert is based on.

type string:
  • LogAnalytics

There can be multiple identifiers of different type per alert, this field specify the identifier type.

workspaceId
  • string

The LogAnalytics workspace id that stores this alert.

workspaceResourceGroup
  • string

The azure resource group for the LogAnalytics workspace storing this alert

workspaceSubscriptionId
  • string

The azure subscription id for the LogAnalytics workspace storing this alert.

SupportingEvidence

Changing set of properties depending on the supportingEvidence type.

Name Type Description
type
  • string

Type of the supportingEvidence