Alerts - List Subscription Level Alerts By Region
列出与存储在特定位置的订阅关联的所有警报
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts?api-version=2015-06-01-previewGET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts?api-version=2015-06-01-preview&$filter={$filter}&$select={$select}&$expand={$expand}URI 参数
| 名称 | 在 | 必需 | 类型 | 说明 |
|---|---|---|---|---|
|
asc
|
path | True |
string |
ASC 存储订阅数据的位置。 可以从 Get 位置检索 |
|
subscription
|
path | True |
string pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$ |
Azure 订阅 ID |
|
api-version
|
query | True |
string |
操作的 API 版本 |
|
$expand
|
query |
string |
OData 展开。 自选。 |
|
|
$filter
|
query |
string |
OData 筛选器。 自选。 |
|
|
$select
|
query |
string |
OData 选择。 自选。 |
响应
| 名称 | 类型 | 说明 |
|---|---|---|
| 200 OK |
还行 |
|
| Other Status Codes |
描述操作失败的原因的错误响应。 |
安全性
azure_auth
Azure Active Directory OAuth2 Flow
类型:
oauth2
流向:
implicit
授权 URL:
https://login.microsoftonline.com/common/oauth2/authorize
作用域
| 名称 | 说明 |
|---|---|
| user_impersonation | 模拟用户帐户 |
示例
Get security alerts on a subscription from a security data location
示例请求
GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/westeurope/alerts?api-version=2015-06-01-preview
示例响应
{
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"vendorName": "Microsoft",
"alertDisplayName": "Threat Intelligence Alert",
"alertName": "ThreatIntelligence",
"detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
"description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
"remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
"actionTaken": "Detected",
"reportedSeverity": "High",
"compromisedEntity": "vm1",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
"extendedProperties": {
"user Name": "administrator",
"domain Name": "Contoso",
"attacker IP": "192.0.2.1",
"resourceType": "Virtual Machine"
},
"state": "Dismissed",
"reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
"confidenceScore": 0.8,
"confidenceReasons": [
{
"type": "User",
"reason": "Some user reason"
},
{
"type": "Process",
"reason": "Some proccess reason"
},
{
"type": "Computer",
"reason": "Some computer reason"
}
],
"canBeInvestigated": true,
"isIncident": false,
"entities": [
{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"threatIntelligence": [
{
"providerName": "Team Cymru",
"threatType": "C2",
"threatName": "rarog",
"confidence": 0.8,
"reportLink": "http://www.microsoft.com",
"threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
}
],
"type": "ip"
}
],
"correlationKey": "<correlationKey>"
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"systemSource": "Azure",
"vendorName": "Microsoft",
"alertDisplayName": "Suspicious Screensaver process executed",
"alertName": "SuspiciousScreenSaver",
"detectedTimeUtc": "2018-05-07T13:51:45.0045913Z",
"description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.",
"remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team",
"actionTaken": "Detected",
"reportedSeverity": "Low",
"compromisedEntity": "vm2",
"associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2",
"subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"extendedProperties": {
"domain name": "vm2",
"user name": "vm2\\contosoUser",
"process name": "c:\\users\\contosoUser\\scrsave.scr",
"command line": "c:\\users\\contosoUser\\scrsave.scr",
"parent process": "cmd.exe",
"process id": "0x4aec",
"account logon id": "0x61450d87",
"user SID": "S-1-5-21-2144575486-8928446540-5163864319-500",
"parent process id": "0x3c44",
"enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}",
"resourceType": "Virtual Machine"
},
"state": "Active",
"reportedTimeUtc": "2018-05-07T13:51:48.3810457Z",
"workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu",
"confidenceScore": 0.3,
"confidenceReasons": [
{
"type": "Process",
"reason": "Suspicious process execution history for this subscription"
},
{
"type": "Process",
"reason": "Suspicious process execution history for this subscription"
},
{
"type": "Process",
"reason": "cmd.exe appeared in multiple alerts of the same type"
}
],
"canBeInvestigated": true,
"entities": [
{
"dnsDomain": "",
"ntDomain": "",
"hostName": "vm2",
"netBiosName": "vm2",
"azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2",
"omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a",
"operatingSystem": "Unknown",
"type": "host",
"OsVersion": null
},
{
"name": "contosoUser",
"ntDomain": "vm2",
"logonId": "0x61450d87",
"sid": "S-1-5-21-2144575486-8928446540-5163864319-500",
"type": "account"
},
{
"directory": "c:\\windows\\system32",
"name": "cmd.exe",
"type": "file"
},
{
"processId": "0x3c44",
"type": "process"
},
{
"directory": "c:\\users\\contosoUser",
"name": "scrsave.scr",
"type": "file"
},
{
"processId": "0x4aec",
"commandLine": "c:\\users\\contosoUser\\scrsave.scr",
"creationTimeUtc": "2018-05-07T13:51:45.0045913Z",
"type": "process"
}
],
"correlationKey": "6Lso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9MY1"
}
}
]
}定义
| 名称 | 说明 |
|---|---|
| Alert |
安全警报 |
|
Alert |
增加我们信心的因素,即警报是一个真正的积极因素 |
|
Alert |
根据实体类型更改属性集。 |
|
Alert |
安全警报列表 |
|
Cloud |
所有 Azure 资源管理器 API 的常见错误响应,以返回失败操作的错误详细信息。 (这也遵循 OData 错误响应格式)。 |
|
Cloud |
错误详细信息。 |
|
Error |
资源管理错误附加信息。 |
|
reported |
此警报的估计严重性 |
Alert
安全警报
| 名称 | 类型 | 说明 |
|---|---|---|
| id |
string |
资源 ID |
| name |
string |
资源名称 |
| properties.actionTaken |
string |
作为警报响应的操作(活动、阻止等) |
| properties.alertDisplayName |
string |
警报类型的显示名称 |
| properties.alertName |
string |
警报类型的名称 |
| properties.associatedResource |
string |
关联的资源的 Azure 资源 ID |
| properties.canBeInvestigated |
boolean |
是否可以使用 Azure 安全中心调查此警报 |
| properties.compromisedEntity |
string |
事件发生的实体 |
| properties.confidenceReasons |
警报获取 confidenceScore 值的原因 |
|
| properties.confidenceScore |
number (float) minimum: 0maximum: 1 |
我们对警报的置信度级别 |
| properties.correlationKey |
string |
具有相同 CorrelationKey 的警报将在 Ibiza 中组合在一起。 |
| properties.description |
string |
事件说明及其含义 |
| properties.detectedTimeUtc |
string (date-time) |
供应商检测到事件的时间 |
| properties.entities |
与此警报相关的对象 |
|
| properties.extendedProperties |
object |
根据警报类型更改属性集。 |
| properties.instanceId |
string |
警报的实例 ID。 |
| properties.isIncident |
boolean |
此警报是否适用于事件类型(否则为单个警报) |
| properties.remediationSteps |
string |
重新辐射事件的建议步骤 |
| properties.reportedSeverity |
此警报的估计严重性 |
|
| properties.reportedTimeUtc |
string (date-time) |
事件报告为 UTC Microsoft.Security 的时间 |
| properties.state |
string |
警报状态(活动、已关闭等) |
| properties.subscriptionId |
string |
具有安全警报的资源的 Azure 订阅 ID 或此资源报告给的工作区的订阅 ID |
| properties.systemSource |
string |
警报资源的类型(Azure、非 Azure) |
| properties.vendorName |
string |
发现事件的供应商的名称 |
| properties.workspaceArmId |
string |
报告警报的工作区的 Azure 资源 ID。 |
| type |
string |
资源类型 |
AlertConfidenceReason
增加我们信心的因素,即警报是一个真正的积极因素
| 名称 | 类型 | 说明 |
|---|---|---|
| reason |
string |
置信度原因的说明 |
| type |
string |
置信度因子的类型 |
AlertEntity
根据实体类型更改属性集。
| 名称 | 类型 | 说明 |
|---|---|---|
| type |
string |
实体类型 |
AlertList
安全警报列表
| 名称 | 类型 | 说明 |
|---|---|---|
| nextLink |
string |
要提取下一页的 URI。 |
| value |
Alert[] |
安全警报 |
CloudError
所有 Azure 资源管理器 API 的常见错误响应,以返回失败操作的错误详细信息。 (这也遵循 OData 错误响应格式)。
| 名称 | 类型 | 说明 |
|---|---|---|
| error.additionalInfo |
错误附加信息。 |
|
| error.code |
string |
错误代码。 |
| error.details |
错误详细信息。 |
|
| error.message |
string |
错误消息。 |
| error.target |
string |
错误目标。 |
CloudErrorBody
错误详细信息。
| 名称 | 类型 | 说明 |
|---|---|---|
| additionalInfo |
错误附加信息。 |
|
| code |
string |
错误代码。 |
| details |
错误详细信息。 |
|
| message |
string |
错误消息。 |
| target |
string |
错误目标。 |
ErrorAdditionalInfo
资源管理错误附加信息。
| 名称 | 类型 | 说明 |
|---|---|---|
| info |
object |
其他信息。 |
| type |
string |
其他信息类型。 |
reportedSeverity
此警报的估计严重性
| 值 | 说明 |
|---|---|
| High | |
| Information | |
| Low | |
| Silent |