Alerts - Get Subscription Level Alert

Get an alert that is associated with a subscription

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}?api-version=2019-01-01

URI Parameters

Name In Required Type Description
subscriptionId
path True
  • string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$

ascLocation
path True
  • string

The location where ASC stores the data of the subscription. can be retrieved from Get locations

alertName
path True
  • string

Name of the alert object

api-version
query True
  • string

API version for the operation

Responses

Name Type Description
200 OK

OK

Other Status Codes

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get security alert on a subscription from a security data location

Sample Request

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA?api-version=2019-01-01

Sample Response

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
  "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
  "type": "Microsoft.Security/Locations/alerts",
  "properties": {
    "vendorName": "Microsoft",
    "alertDisplayName": "Threat Intelligence Alert",
    "alertName": "ThreatIntelligence",
    "detectedTimeUtc": "2018-05-01T19:50:47.083633Z",
    "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it",
    "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM",
    "actionTaken": "Detected",
    "reportedSeverity": "High",
    "compromisedEntity": "vm1",
    "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
    "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
    "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa",
    "extendedProperties": {
      "user Name": "administrator",
      "domain Name": "Contoso",
      "attacker IP": "192.0.2.1",
      "resourceType": "Virtual Machine"
    },
    "state": "Dismissed",
    "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z",
    "confidenceScore": 0.8,
    "confidenceReasons": [
      {
        "type": "User",
        "reason": "Some user reason"
      },
      {
        "type": "Process",
        "reason": "Some proccess reason"
      },
      {
        "type": "Computer",
        "reason": "Some computer reason"
      }
    ],
    "canBeInvestigated": true,
    "isIncident": false,
    "entities": [
      {
        "address": "192.0.2.1",
        "location": {
          "countryCode": "gb",
          "state": "wokingham",
          "city": "sonning",
          "longitude": -0.909,
          "latitude": 51.468,
          "asn": 6584
        },
        "threatIntelligence": [
          {
            "providerName": "Team Cymru",
            "threatType": "C2",
            "threatName": "rarog",
            "confidence": 0.8,
            "reportLink": "http://www.microsoft.com",
            "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed."
          }
        ],
        "type": "ip"
      }
    ],
    "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk="
  }
}

Definitions

Alert

Security alert

AlertConfidenceReason

Factors that increase our confidence that the alert is a true positive

AlertEntity

Changing set of properties depending on the entity type.

CloudError

Error response structure.

reportedSeverity

Estimated severity of this alert

Alert

Security alert

Name Type Description
id
  • string

Resource Id

name
  • string

Resource name

properties.actionTaken
  • string

The action that was taken as a response to the alert (Active, Blocked etc.)

properties.alertDisplayName
  • string

Display name of the alert type

properties.alertName
  • string

Name of the alert type

properties.associatedResource
  • string

Azure resource ID of the associated resource

properties.canBeInvestigated
  • boolean

Whether this alert can be investigated with Azure Security Center

properties.compromisedEntity
  • string

The entity that the incident happened on

properties.confidenceReasons

reasons the alert got the confidenceScore value

properties.confidenceScore
  • number

level of confidence we have on the alert

properties.correlationKey
  • string

Alerts with the same CorrelationKey will be grouped together in Ibiza.

properties.description
  • string

Description of the incident and what it means

properties.detectedTimeUtc
  • string

The time the incident was detected by the vendor

properties.entities

objects that are related to this alerts

properties.extendedProperties
  • object

Changing set of properties depending on the alert type.

properties.instanceId
  • string

Instance ID of the alert.

properties.isIncident
  • boolean

Whether this alert is for incident type or not (otherwise - single alert)

properties.remediationSteps
  • string

Recommended steps to reradiate the incident

properties.reportedSeverity

Estimated severity of this alert

properties.reportedTimeUtc
  • string

The time the incident was reported to Microsoft.Security in UTC

properties.state
  • string

State of the alert (Active, Dismissed etc.)

properties.subscriptionId
  • string

Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to

properties.systemSource
  • string

The type of the alerted resource (Azure, Non-Azure)

properties.vendorName
  • string

Name of the vendor that discovered the incident

properties.workspaceArmId
  • string

Azure resource ID of the workspace that the alert was reported to.

type
  • string

Resource type

AlertConfidenceReason

Factors that increase our confidence that the alert is a true positive

Name Type Description
reason
  • string

description of the confidence reason

type
  • string

Type of confidence factor

AlertEntity

Changing set of properties depending on the entity type.

Name Type Description
type
  • string

Type of entity

CloudError

Error response structure.

Name Type Description
error.code
  • string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

error.message
  • string

A message describing the error, intended to be suitable for display in a user interface.

reportedSeverity

Estimated severity of this alert

Name Type Description
High
  • string
Informational
  • string
Low
  • string
Medium
  • string