Alerts - List

List all the alerts that are associated with the subscription

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01

URI Parameters

Name In Required Type Description
subscriptionId
path True

string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

api-version
query True

string

API version for the operation

Responses

Name Type Description
200 OK

AlertList

OK

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get security alerts on a subscription

Sample request

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/alerts?api-version=2022-01-01

Sample response

{
  "value": [
    {
      "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
      "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
      "type": "Microsoft.Security/Locations/alerts",
      "properties": {
        "version": "2022-01-01",
        "alertType": "VM_EICAR",
        "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
        "productComponentName": "testName",
        "alertDisplayName": "Azure Security Center test alert (not a threat)",
        "description": "This is a test alert generated by Azure Security Center. No further action is needed.",
        "severity": "High",
        "intent": "Execution",
        "startTimeUtc": "2020-02-22T00:00:00.0000000Z",
        "endTimeUtc": "2020-02-22T00:00:00.0000000Z",
        "resourceIdentifiers": [
          {
            "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
            "type": "AzureResource"
          },
          {
            "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
            "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
            "workspaceResourceGroup": "myRg1",
            "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
            "type": "LogAnalytics"
          }
        ],
        "remediationSteps": [
          "No further action is needed."
        ],
        "vendorName": "Microsoft",
        "status": "Active",
        "extendedLinks": [
          {
            "Category": "threat_reports",
            "Label": "Report: RDP Brute Forcing",
            "Href": "https://contoso.com/reports/DisplayReport",
            "Type": "webLink"
          }
        ],
        "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
        "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z",
        "productName": "Azure Security Center",
        "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z",
        "entities": [
          {
            "address": "192.0.2.1",
            "location": {
              "countryCode": "gb",
              "state": "wokingham",
              "city": "sonning",
              "longitude": -0.909,
              "latitude": 51.468,
              "asn": 6584
            },
            "type": "ip"
          }
        ],
        "isIncident": true,
        "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=",
        "extendedProperties": {
          "Property1": "Property1 information"
        },
        "compromisedEntity": "vm1",
        "techniques": [
          "T1059",
          "T1053",
          "T1072"
        ],
        "subTechniques": [
          "T1059.001",
          "T1059.006",
          "T1053.002"
        ],
        "supportingEvidence": {
          "type": "tabularEvidences",
          "title": "Investigate activity test",
          "columns": [
            "Date",
            "Activity",
            "User",
            "TestedText",
            "TestedValue"
          ],
          "rows": [
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser",
              "false",
              false
            ],
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser2",
              "false",
              false
            ],
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser3",
              "true",
              true
            ]
          ]
        }
      }
    },
    {
      "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
      "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
      "type": "Microsoft.Security/Locations/alerts",
      "properties": {
        "version": "2022-01-01",
        "alertType": "VM_SuspiciousScreenSaver",
        "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
        "productComponentName": "testName2",
        "alertDisplayName": "Suspicious Screensaver process executed",
        "description": "The process ‘c:\\users\\contosoUser\\scrsave.scr’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.",
        "severity": "Medium",
        "intent": "Execution",
        "startTimeUtc": "2019-05-07T13:51:45.0045913Z",
        "endTimeUtc": "2019-05-07T13:51:45.0045913Z",
        "resourceIdentifiers": [
          {
            "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
            "type": "AzureResource"
          },
          {
            "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
            "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
            "workspaceResourceGroup": "myRg1",
            "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
            "type": "LogAnalytics"
          }
        ],
        "remediationSteps": [
          "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)",
          "2. Make sure the machine is completely updated and has an updated anti-malware application installed",
          "3. Run a full anti-malware scan and verify that the threat was removed",
          "4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)",
          "5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)",
          "6. Escalate the alert to the information security team"
        ],
        "vendorName": "Microsoft",
        "status": "Active",
        "extendedLinks": [
          {
            "Category": "threat_reports",
            "Label": "Report: RDP Brute Forcing",
            "Href": "https://contoso.com/reports/DisplayReport",
            "Type": "webLink"
          }
        ],
        "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
        "timeGeneratedUtc": "2019-05-07T13:51:48.3810457Z",
        "productName": "Azure Security Center",
        "processingEndTimeUtc": "2019-05-07T13:51:48.9810457Z",
        "entities": [
          {
            "dnsDomain": "",
            "ntDomain": "",
            "hostName": "vm2",
            "netBiosName": "vm2",
            "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2",
            "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a",
            "operatingSystem": "Unknown",
            "type": "host",
            "OsVersion": null
          },
          {
            "name": "contosoUser",
            "ntDomain": "vm2",
            "logonId": "0x61450d87",
            "sid": "S-1-5-21-2144575486-8928446540-5163864319-500",
            "type": "account"
          },
          {
            "directory": "c:\\windows\\system32",
            "name": "cmd.exe",
            "type": "file"
          },
          {
            "processId": "0x3c44",
            "type": "process"
          },
          {
            "directory": "c:\\users\\contosoUser",
            "name": "scrsave.scr",
            "type": "file"
          },
          {
            "processId": "0x4aec",
            "commandLine": "c:\\users\\contosoUser\\scrsave.scr",
            "creationTimeUtc": "2018-05-07T13:51:45.0045913Z",
            "type": "process"
          }
        ],
        "isIncident": true,
        "correlationKey": "4hno6LF0xzCl5tqrk4nrBW+MY1BX816W6q6+0srk4",
        "compromisedEntity": "vm2",
        "extendedProperties": {
          "domain name": "vm2",
          "user name": "vm2\\contosoUser",
          "process name": "c:\\users\\contosoUser\\scrsave.scr",
          "command line": "c:\\users\\contosoUser\\scrsave.scr",
          "parent process": "cmd.exe",
          "process id": "0x4aec",
          "account logon id": "0x61450d87",
          "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500",
          "parent process id": "0x3c44",
          "resourceType": "Virtual Machine"
        },
        "techniques": [
          "T1059",
          "T1053",
          "T1072"
        ],
        "subTechniques": [
          "T1059.001",
          "T1059.006",
          "T1053.002"
        ],
        "supportingEvidence": {
          "supportingEvidenceList": [
            {
              "evidenceElements": [
                {
                  "text": {
                    "arguments": {
                      "sensitiveEnumerationTypes": {
                        "type": "string[]",
                        "value": [
                          "UseDesKey"
                        ]
                      },
                      "domainName": {
                        "type": "string",
                        "value": "domainName"
                      }
                    },
                    "localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
                    "fallback": "Actor enumerated UseDesKey on domain1.test.local"
                  },
                  "type": "evidenceElement",
                  "innerElements": null
                }
              ],
              "type": "nestedList"
            },
            {
              "type": "tabularEvidences",
              "title": "Investigate activity test",
              "columns": [
                "Date",
                "Activity",
                "User",
                "TestedText",
                "TestedValue"
              ],
              "rows": [
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser",
                  "false",
                  false
                ],
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser2",
                  "false",
                  false
                ],
                [
                  "2022-01-17T07:03:52.034Z",
                  "Log on",
                  "testUser3",
                  "true",
                  true
                ]
              ]
            }
          ],
          "type": "supportingEvidenceList"
        }
      }
    }
  ]
}

Definitions

Name Description
Alert

Security alert

AlertEntity

Changing set of properties depending on the entity type.

AlertList

List of security alerts

alertSeverity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

alertStatus

The life cycle status of the alert.

AzureResourceIdentifier

Azure resource identifier.

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

CloudErrorBody

The error detail.

ErrorAdditionalInfo

The resource management error additional info.

intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

LogAnalyticsIdentifier

Represents a Log Analytics workspace scope identifier.

SupportingEvidence

Changing set of properties depending on the supportingEvidence type.

Alert

Security alert

Name Type Description
id

string

Resource Id

name

string

Resource name

properties.alertDisplayName

string

The display name of the alert.

properties.alertType

string

Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType).

properties.alertUri

string

A direct link to the alert page in Azure Portal.

properties.compromisedEntity

string

The display name of the resource most related to this alert.

properties.correlationKey

string

Key for corelating related alerts. Alerts with the same correlation key considered to be related.

properties.description

string

Description of the suspicious activity that was detected.

properties.endTimeUtc

string

The UTC time of the last event or activity included in the alert in ISO8601 format.

properties.entities

AlertEntity[]

A list of entities related to the alert.

properties.extendedLinks

object[]

Links related to the alert

properties.extendedProperties

object

Custom properties for the alert.

properties.intent

intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

properties.isIncident

boolean

This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert.

properties.processingEndTimeUtc

string

The UTC processing end time of the alert in ISO8601 format.

properties.productComponentName

string

The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing

properties.productName

string

The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on).

properties.remediationSteps

string[]

Manual action items to take to remediate the alert.

properties.resourceIdentifiers ResourceIdentifier[]:

The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.

properties.severity

alertSeverity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

properties.startTimeUtc

string

The UTC time of the first event or activity included in the alert in ISO8601 format.

properties.status

alertStatus

The life cycle status of the alert.

properties.subTechniques

string[]

Kill chain related sub-techniques behind the alert.

properties.supportingEvidence

SupportingEvidence

Changing set of properties depending on the supportingEvidence type.

properties.systemAlertId

string

Unique identifier for the alert.

properties.techniques

string[]

kill chain related techniques behind the alert.

properties.timeGeneratedUtc

string

The UTC time the alert was generated in ISO8601 format.

properties.vendorName

string

The name of the vendor that raises the alert.

properties.version

string

Schema version.

type

string

Resource type

AlertEntity

Changing set of properties depending on the entity type.

Name Type Description
type

string

Type of entity

AlertList

List of security alerts

Name Type Description
nextLink

string

The URI to fetch the next page.

value

Alert[]

describes security alert properties.

alertSeverity

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

Name Type Description
High

string

High

Informational

string

Informational

Low

string

Low

Medium

string

Medium

alertStatus

The life cycle status of the alert.

Name Type Description
Active

string

An alert which doesn't specify a value is assigned the status 'Active'

Dismissed

string

Alert dismissed as false positive

InProgress

string

An alert which is in handling state

Resolved

string

Alert closed after handling

AzureResourceIdentifier

Azure resource identifier.

Name Type Description
azureResourceId

string

ARM resource identifier for the cloud resource being alerted on

type string:

AzureResource

There can be multiple identifiers of different type per alert, this field specify the identifier type.

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name Type Description
error.additionalInfo

ErrorAdditionalInfo[]

The error additional info.

error.code

string

The error code.

error.details

CloudErrorBody[]

The error details.

error.message

string

The error message.

error.target

string

The error target.

CloudErrorBody

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

CloudErrorBody[]

The error details.

message

string

The error message.

target

string

The error target.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

intent

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

Name Type Description
Collection

string

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.

CommandAndControl

string

The command and control tactic represents how adversaries communicate with systems under their control within a target network.

CredentialAccess

string

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.

DefenseEvasion

string

Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses.

Discovery

string

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.

Execution

string

The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system.

Exfiltration

string

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.

Exploitation

string

Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc.

Impact

string

Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process.

InitialAccess

string

InitialAccess is the stage where an attacker manages to get foothold on the attacked resource.

LateralMovement

string

Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.

Persistence

string

Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system.

PreAttack

string

PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and find a way in. Further details on the PreAttack stage can be read in MITRE Pre-Att&ck matrix.

PrivilegeEscalation

string

Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network.

Probing

string

Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation.

Unknown

string

Unknown

LogAnalyticsIdentifier

Represents a Log Analytics workspace scope identifier.

Name Type Description
agentId

string

(optional) The LogAnalytics agent id reporting the event that this alert is based on.

type string:

LogAnalytics

There can be multiple identifiers of different type per alert, this field specify the identifier type.

workspaceId

string

The LogAnalytics workspace id that stores this alert.

workspaceResourceGroup

string

The azure resource group for the LogAnalytics workspace storing this alert

workspaceSubscriptionId

string

The azure subscription id for the LogAnalytics workspace storing this alert.

SupportingEvidence

Changing set of properties depending on the supportingEvidence type.

Name Type Description
type

string

Type of the supportingEvidence