Azure fraud notification - Update fraud event status
Article
Applies to: Partner Center API
After you investigated the fraud activities for each reported Azure resource and determined the behavior as fraudulent or legitimated, you can use this API to update the fraud event status with the appropriate reason.
Note
This API will only update the event status, it will not resolve the fraud activity on behalf of CSP partners.
As of May 2023, pilot partners can use this API with the New Events Model. With the new model, you can update new types of alerts as they're added to the system, for example, anomalous compute usage, crypto mining, Azure Machine Learning usage and service health advisory notifications.
Prerequisites
Credentials as described in Partner Center authentication. This scenario supports authentication with App+User credentials.
Use the following optional query parameters when creating the request.
Name
Type
Required
Description
SubscriptionId
string
Yes
The Azure subscription ID, which has the Crypro-mining activities
Request body
Property
Type
Required
Description
eventIds
string[]
No
Keep eventIds as empty if you'd like to update the status for all fraud events under the given subscription ID
eventStatus
string
No
The fraud alert status. It can be either Active, Resolved, or Investigating.
resolvedReason
string
Yes
When fraud event is resolved, set an appropriate reason code, the accepted reason codes are Fraud or Ignore
REST response
If successful, this method returns a collection of Fraud events in the response body.
Response success and error codes
Each response comes with an HTTP status code that indicates success or failure and more debugging information. Use a network trace tool to read this code, error type, and more parameters. For the full list, see Error Codes.
Use the following optional query parameters when creating the request.
Name
Type
Required
Description
SubscriptionId
string
Yes
The Azure subscription ID, which has the Crypro-mining activities
Request body
Property
Type
Required
Description
eventIds
string[]
No
Keep eventIds as empty if you'd like to update the status for all fraud events under the given subscription ID
eventStatus
string
Yes
Set it to Resolve to resolve the fraud event or set it to Investigating to investigate a fraud event.
resolvedReason
string
Yes
When fraud event is resolved, set an appropriate reason code, the accepted reason codes are Fraud or Ignore
REST response
If successful, this method returns a collection of Fraud events with extended attributes in the response body.
Response success and error codes
Each response comes with an HTTP status code that indicates success or failure and more debugging information. Use a network trace tool to read this code, error type, and more parameters. For the full list, see Error Codes.
The tenant ID of the partner associated with the alert
partnerFriendlyName
string
A friendly name for the partner tenant
customerTenantId
string
The tenant ID of the customer associated with the alert
customerFriendlyName
string
A friendly name for the customer tenant
subscriptionId
string
The subscription ID of the customer tenant
subscriptionType
string
The subscription type of the customer tenant
entityId
string
The unique identifier for the alert
entityName
string
The name of the entity compromised
entityUrl
string
The entity Url of the resource
hitCount
string
The number of connections detected between firstObserved and lastObserved
catalogOfferId
string
The modern offer category ID of the subscription
eventStatus
string
The status of the alert: Active, Investigating, or Resolved
serviceName
string
The name of the Azure service associated with the alert
resourceName
string
The name of the Azure resource associated with the alert
resourceGroupName
string
The name of the Azure resource group associated with the alert
firstOccurrence
datetime
The impact start time of the alert (the time of the first event or activity included in the alert)
lastOccurrence
datetime
The impact end time of the alert (the time of the last event or activity included in the alert)
resolvedReason
string
The reason provided by the partner for addressing the alert status
resolvedOn
datetime
The time when the alert was resolved
resolvedBy
string
The user who resolved the alert
firstObserved
datetime
The impact start time of the alert (the time of the first event or activity included in the alert)
lastObserved
datetime
The impact end time of the alert (the time of the last event or activity included in the alert)
eventType
string
The type of alert: ServiceHealthSecurityAdvisory, UsageAnomalyDetection, MultiRegionVirtualMachineScaleSetDeploymentAnomaly, NetworkConnectionsToCryptoMiningPools, VirtualMachineDeploymentAnomaly, MultiRegionMachineLearningUsageAnomaly
severity
string
The severity of the alert (Values: Low, Medium, High)
confidenceLevel
string
The confidence level of the alert (Values: Low, Medium, High)
displayName
string
A user-friendly display name for the alert depending on the alert type
description
string
A description of the alert
country
string
The country code for the partner tenant
valueAddedResellerTenantId
string
The tenant ID of the value added reseller associated with the partner tenant and customer tenant
valueAddedResellerFriendlyName
string
A friendly name for the value added reseller
subscriptionName
string
The subscription name of the customer tenant
affectedResources
json Array
The list of resources affected; affected resources might be empty for different alert types, in which case the partner needs to check the usage and consumption at the subscription level
additionalDetails
Json object
A dictionary of other details key-values pairs required for identifying and managing the security alert
isTest
string
If an alert is generated for test, it will be set to true or else false
Learn how a Cloud Solution Provider (CSP) partner can use Partner Center APIs to create a new customer. Article describes prerequisites and what else happens.