question

AlexanderGeorgiev avatar image
0 Votes"
AlexanderGeorgiev asked JamesTran-MSFT commented

Azure Graph Alerts are masked - how to unmask?

Hi,

I am using the Azure CLI to query Security Alerts, which works fine, but the alert details are masked with asterisks, e.g.

 [..]
       "ExtendedProperties": {
         "Alert Id": "************************************",
         "Client IP address": "***************",
         "Client IP location": "*************",
         "Client application": "**************************************",
         "Client hostname": "***********",
         "Client principal name": "*******************************",
         "Domain name": "********************",
         "Investigation steps": "******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************",
         "KillChainIntent": "*************",
         "Potential causes": "*************************************************",
         "resourceType": "************"
       },
 [..]


You can reproduce this using for example "az graph query -q "securityresources | where type =~ 'microsoft.security/locations/alerts' | where properties.StartTimeUtc >= ago(1d) | where properties.Status in ('Active')" in the Cloudshell.

How can I unmask these or what setting is masking them?




azure-security-centermicrosoft-graph-security
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Adding right tags/teams to assist

1 Vote 1 ·

1 Answer

JamesTran-MSFT avatar image
1 Vote"
JamesTran-MSFT answered JamesTran-MSFT commented

@AlexanderGeorgiev
Thank you for your post!

  • When it comes to getting Security Alerts, are you able to see the masked info within the Azure Portal?

  • Have you tried to using the az security alert CLI commands? Or even the alert resource type Graph API?


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you so much!

The "az security alert" CLI in fact shows the values unmasked! (The REST API works as well, but is not suitable for my use case.)

0 Votes 0 ·

@AlexanderGeorgiev
Thank you for the quick follow up on this and I'm glad that I was able to help resolve your issue!


If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.


Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 Votes 0 ·