Alerts - List
List all the alerts that are associated with the subscription
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
subscription
|
path | True |
string |
Azure subscription ID Regex pattern: |
|
api-version
|
query | True |
string |
API version for the operation |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get security alerts on a subscription
Sample Request
GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alerts?api-version=2022-01-01
Sample Response
{
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"version": "2022-01-01",
"alertType": "VM_EICAR",
"systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"productComponentName": "testName",
"alertDisplayName": "Azure Security Center test alert (not a threat)",
"description": "This is a test alert generated by Azure Security Center. No further action is needed.",
"severity": "High",
"intent": "Execution",
"startTimeUtc": "2020-02-22T00:00:00.0000000Z",
"endTimeUtc": "2020-02-22T00:00:00.0000000Z",
"resourceIdentifiers": [
{
"azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"type": "AzureResource"
},
{
"workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
"workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"workspaceResourceGroup": "myRg1",
"agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
"type": "LogAnalytics"
}
],
"remediationSteps": [
"No further action is needed."
],
"vendorName": "Microsoft",
"status": "Active",
"extendedLinks": [
{
"Category": "threat_reports",
"Label": "Report: RDP Brute Forcing",
"Href": "https://contoso.com/reports/DisplayReport",
"Type": "webLink"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
"timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z",
"productName": "Azure Security Center",
"processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z",
"entities": [
{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"type": "ip"
}
],
"isIncident": true,
"correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=",
"extendedProperties": {
"Property1": "Property1 information"
},
"compromisedEntity": "vm1",
"techniques": [
"T1059",
"T1053",
"T1072"
],
"subTechniques": [
"T1059.001",
"T1059.006",
"T1053.002"
],
"supportingEvidence": {
"type": "tabularEvidences",
"title": "Investigate activity test",
"columns": [
"Date",
"Activity",
"User",
"TestedText",
"TestedValue"
],
"rows": [
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser2",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser3",
"true",
true
]
]
}
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"version": "2022-01-01",
"alertType": "VM_SuspiciousScreenSaver",
"systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"productComponentName": "testName2",
"alertDisplayName": "Suspicious Screensaver process executed",
"description": "The process ‘c:\\users\\contosoUser\\scrsave.scr’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.",
"severity": "Medium",
"intent": "Execution",
"startTimeUtc": "2019-05-07T13:51:45.0045913Z",
"endTimeUtc": "2019-05-07T13:51:45.0045913Z",
"resourceIdentifiers": [
{
"azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"type": "AzureResource"
},
{
"workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
"workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"workspaceResourceGroup": "myRg1",
"agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
"type": "LogAnalytics"
}
],
"remediationSteps": [
"1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)",
"2. Make sure the machine is completely updated and has an updated anti-malware application installed",
"3. Run a full anti-malware scan and verify that the threat was removed",
"4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)",
"5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)",
"6. Escalate the alert to the information security team"
],
"vendorName": "Microsoft",
"status": "Active",
"extendedLinks": [
{
"Category": "threat_reports",
"Label": "Report: RDP Brute Forcing",
"Href": "https://contoso.com/reports/DisplayReport",
"Type": "webLink"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
"timeGeneratedUtc": "2019-05-07T13:51:48.3810457Z",
"productName": "Azure Security Center",
"processingEndTimeUtc": "2019-05-07T13:51:48.9810457Z",
"entities": [
{
"dnsDomain": "",
"ntDomain": "",
"hostName": "vm2",
"netBiosName": "vm2",
"azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2",
"omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a",
"operatingSystem": "Unknown",
"type": "host",
"OsVersion": null
},
{
"name": "contosoUser",
"ntDomain": "vm2",
"logonId": "0x61450d87",
"sid": "S-1-5-21-2144575486-8928446540-5163864319-500",
"type": "account"
},
{
"directory": "c:\\windows\\system32",
"name": "cmd.exe",
"type": "file"
},
{
"processId": "0x3c44",
"type": "process"
},
{
"directory": "c:\\users\\contosoUser",
"name": "scrsave.scr",
"type": "file"
},
{
"processId": "0x4aec",
"commandLine": "c:\\users\\contosoUser\\scrsave.scr",
"creationTimeUtc": "2018-05-07T13:51:45.0045913Z",
"type": "process"
}
],
"isIncident": true,
"correlationKey": "4hno6LF0xzCl5tqrk4nrBW+MY1BX816W6q6+0srk4",
"compromisedEntity": "vm2",
"extendedProperties": {
"domain name": "vm2",
"user name": "vm2\\contosoUser",
"process name": "c:\\users\\contosoUser\\scrsave.scr",
"command line": "c:\\users\\contosoUser\\scrsave.scr",
"parent process": "cmd.exe",
"process id": "0x4aec",
"account logon id": "0x61450d87",
"user SID": "S-1-5-21-2144575486-8928446540-5163864319-500",
"parent process id": "0x3c44",
"resourceType": "Virtual Machine"
},
"techniques": [
"T1059",
"T1053",
"T1072"
],
"subTechniques": [
"T1059.001",
"T1059.006",
"T1053.002"
],
"supportingEvidence": {
"supportingEvidenceList": [
{
"evidenceElements": [
{
"text": {
"arguments": {
"sensitiveEnumerationTypes": {
"type": "string[]",
"value": [
"UseDesKey"
]
},
"domainName": {
"type": "string",
"value": "domainName"
}
},
"localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
"fallback": "Actor enumerated UseDesKey on domain1.test.local"
},
"type": "evidenceElement",
"innerElements": null
}
],
"type": "nestedList"
},
{
"type": "tabularEvidences",
"title": "Investigate activity test",
"columns": [
"Date",
"Activity",
"User",
"TestedText",
"TestedValue"
],
"rows": [
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser2",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser3",
"true",
true
]
]
}
],
"type": "supportingEvidenceList"
}
}
}
]
}Definitions
| Name | Description |
|---|---|
| Alert |
Security alert |
|
Alert |
Changing set of properties depending on the entity type. |
|
Alert |
List of security alerts |
|
alert |
The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. |
|
alert |
The life cycle status of the alert. |
|
Azure |
Azure resource identifier. |
|
Cloud |
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.). |
|
Cloud |
The error detail. |
|
Error |
The resource management error additional info. |
| intent |
The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. |
|
Log |
Represents a Log Analytics workspace scope identifier. |
|
Supporting |
Changing set of properties depending on the supportingEvidence type. |
Alert
Security alert
| Name | Type | Description |
|---|---|---|
| id |
string |
Resource Id |
| name |
string |
Resource name |
| properties.alertDisplayName |
string |
The display name of the alert. |
| properties.alertType |
string |
Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType). |
| properties.alertUri |
string |
A direct link to the alert page in Azure Portal. |
| properties.compromisedEntity |
string |
The display name of the resource most related to this alert. |
| properties.correlationKey |
string |
Key for corelating related alerts. Alerts with the same correlation key considered to be related. |
| properties.description |
string |
Description of the suspicious activity that was detected. |
| properties.endTimeUtc |
string |
The UTC time of the last event or activity included in the alert in ISO8601 format. |
| properties.entities |
A list of entities related to the alert. |
|
| properties.extendedLinks |
object[] |
Links related to the alert |
| properties.extendedProperties |
object |
Custom properties for the alert. |
| properties.intent |
The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents. |
|
| properties.isIncident |
boolean |
This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert. |
| properties.processingEndTimeUtc |
string |
The UTC processing end time of the alert in ISO8601 format. |
| properties.productComponentName |
string |
The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing |
| properties.productName |
string |
The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on). |
| properties.remediationSteps |
string[] |
Manual action items to take to remediate the alert. |
| properties.resourceIdentifiers | ResourceIdentifier[]: |
The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert. |
| properties.severity |
The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified. |
|
| properties.startTimeUtc |
string |
The UTC time of the first event or activity included in the alert in ISO8601 format. |
| properties.status |
The life cycle status of the alert. |
|
| properties.subTechniques |
string[] |
Kill chain related sub-techniques behind the alert. |
| properties.supportingEvidence |
Changing set of properties depending on the supportingEvidence type. |
|
| properties.systemAlertId |
string |
Unique identifier for the alert. |
| properties.techniques |
string[] |
kill chain related techniques behind the alert. |
| properties.timeGeneratedUtc |
string |
The UTC time the alert was generated in ISO8601 format. |
| properties.vendorName |
string |
The name of the vendor that raises the alert. |
| properties.version |
string |
Schema version. |
| type |
string |
Resource type |
AlertEntity
Changing set of properties depending on the entity type.
| Name | Type | Description |
|---|---|---|
| type |
string |
Type of entity |
AlertList
List of security alerts
| Name | Type | Description |
|---|---|---|
| nextLink |
string |
The URI to fetch the next page. |
| value |
Alert[] |
describes security alert properties. |
alertSeverity
The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.
| Name | Type | Description |
|---|---|---|
| High |
string |
High |
| Informational |
string |
Informational |
| Low |
string |
Low |
| Medium |
string |
Medium |
alertStatus
The life cycle status of the alert.
| Name | Type | Description |
|---|---|---|
| Active |
string |
An alert which doesn't specify a value is assigned the status 'Active' |
| Dismissed |
string |
Alert dismissed as false positive |
| InProgress |
string |
An alert which is in handling state |
| Resolved |
string |
Alert closed after handling |
AzureResourceIdentifier
Azure resource identifier.
| Name | Type | Description |
|---|---|---|
| azureResourceId |
string |
ARM resource identifier for the cloud resource being alerted on |
| type |
string:
Azure |
There can be multiple identifiers of different type per alert, this field specify the identifier type. |
CloudError
Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
| Name | Type | Description |
|---|---|---|
| error.additionalInfo |
The error additional info. |
|
| error.code |
string |
The error code. |
| error.details |
The error details. |
|
| error.message |
string |
The error message. |
| error.target |
string |
The error target. |
CloudErrorBody
The error detail.
| Name | Type | Description |
|---|---|---|
| additionalInfo |
The error additional info. |
|
| code |
string |
The error code. |
| details |
The error details. |
|
| message |
string |
The error message. |
| target |
string |
The error target. |
ErrorAdditionalInfo
The resource management error additional info.
| Name | Type | Description |
|---|---|---|
| info |
object |
The additional info. |
| type |
string |
The additional info type. |
intent
The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.
| Name | Type | Description |
|---|---|---|
| Collection |
string |
Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. |
| CommandAndControl |
string |
The command and control tactic represents how adversaries communicate with systems under their control within a target network. |
| CredentialAccess |
string |
Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. |
| DefenseEvasion |
string |
Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. |
| Discovery |
string |
Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. |
| Execution |
string |
The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. |
| Exfiltration |
string |
Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. |
| Exploitation |
string |
Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc. |
| Impact |
string |
Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. |
| InitialAccess |
string |
InitialAccess is the stage where an attacker manages to get foothold on the attacked resource. |
| LateralMovement |
string |
Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. |
| Persistence |
string |
Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system. |
| PreAttack |
string |
PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and find a way in. Further details on the PreAttack stage can be read in MITRE Pre-Att&ck matrix. |
| PrivilegeEscalation |
string |
Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. |
| Probing |
string |
Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. |
| Unknown |
string |
Unknown |
LogAnalyticsIdentifier
Represents a Log Analytics workspace scope identifier.
| Name | Type | Description |
|---|---|---|
| agentId |
string |
(optional) The LogAnalytics agent id reporting the event that this alert is based on. |
| type |
string:
Log |
There can be multiple identifiers of different type per alert, this field specify the identifier type. |
| workspaceId |
string |
The LogAnalytics workspace id that stores this alert. |
| workspaceResourceGroup |
string |
The azure resource group for the LogAnalytics workspace storing this alert |
| workspaceSubscriptionId |
string |
The azure subscription id for the LogAnalytics workspace storing this alert. |
SupportingEvidence
Changing set of properties depending on the supportingEvidence type.
| Name | Type | Description |
|---|---|---|
| type |
string |
Type of the supportingEvidence |