Alerts - Get Resource Group Level

Service:: Defender for Cloud

API Version:: 2022-01-01

Get an alert that is associated a resource group or a resource in a resource group

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}?api-version=2022-01-01

URI Parameters

Name	In	Required	Type	Description
alertName	path	True	string	Name of the alert object
ascLocation	path	True	string	The location where ASC stores the data of the subscription. can be retrieved from Get locations
resourceGroupName	path	True	string minLength: 1 maxLength: 90 pattern: ^[-\w\._\(\)]+$	The name of the resource group within the user's subscription. The name is case insensitive.
subscriptionId	path	True	string pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$	Azure subscription ID
api-version	query	True	string	API version for the operation

Responses

Name	Type	Description
200 OK	Alert	OK
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

Get security alert on a resource group from a security data location

Sample request

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a?api-version=2022-01-01


/**
 * Samples for Alerts GetResourceGroupLevel.
 */
public final class Main {
    /*
     * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/examples/Alerts/
     * GetAlertResourceGroupLocation_example.json
     */
    /**
     * Sample code: Get security alert on a resource group from a security data location.
     * 
     * @param manager Entry point to SecurityManager.
     */
    public static void getSecurityAlertOnAResourceGroupFromASecurityDataLocation(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager.alerts().getResourceGroupLevelWithResponse("myRg1", "westeurope",
            "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential

from azure.mgmt.security import SecurityCenter

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-security
# USAGE
    python get_alert_resource_group_location_example.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SecurityCenter(
        credential=DefaultAzureCredential(),
        subscription_id="20ff7fc3-e762-44dd-bd96-b71116dcdc23",
    )

    response = client.alerts.get_resource_group_level(
        resource_group_name="myRg1",
        asc_location="westeurope",
        alert_name="2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
    )
    print(response)


# x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/9ac34f238dd6b9071f486b57e9f9f1a0c43ec6f6/specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json
func ExampleAlertsClient_GetResourceGroupLevel() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewAlertsClient().GetResourceGroupLevel(ctx, "myRg1", "westeurope", "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a", nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.Alert = armsecurity.Alert{
	// 	Name: to.Ptr("2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a"),
	// 	Type: to.Ptr("Microsoft.Security/Locations/alerts"),
	// 	ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"),
	// 	Properties: &armsecurity.AlertProperties{
	// 		Description: to.Ptr("This is a test alert generated by Azure Security Center. No further action is needed."),
	// 		AlertDisplayName: to.Ptr("Azure Security Center test alert (not a threat)"),
	// 		AlertType: to.Ptr("VM_EICAR"),
	// 		AlertURI: to.Ptr("https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope"),
	// 		CompromisedEntity: to.Ptr("vm1"),
	// 		CorrelationKey: to.Ptr("kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk="),
	// 		EndTimeUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-02-22T00:00:00.000Z"); return t}()),
	// 		Entities: []*armsecurity.AlertEntity{
	// 			{
	// 				AdditionalProperties: map[string]any{
	// 					"address": "192.0.2.1",
	// 					"location": map[string]any{
	// 						"asn": float64(6584),
	// 						"city": "sonning",
	// 						"countryCode": "gb",
	// 						"latitude": float64(51.468),
	// 						"longitude": float64(-0.909),
	// 						"state": "wokingham",
	// 					},
	// 				},
	// 				Type: to.Ptr("ip"),
	// 		}},
	// 		ExtendedLinks: []map[string]*string{
	// 			map[string]*string{
	// 				"Category": to.Ptr("threat_reports"),
	// 				"Href": to.Ptr("https://contoso.com/reports/DisplayReport"),
	// 				"Label": to.Ptr("Report: RDP Brute Forcing"),
	// 				"Type": to.Ptr("webLink"),
	// 		}},
	// 		ExtendedProperties: map[string]*string{
	// 			"Property1": to.Ptr("Property1 information"),
	// 		},
	// 		Intent: to.Ptr(armsecurity.IntentExecution),
	// 		IsIncident: to.Ptr(true),
	// 		ProcessingEndTimeUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-02-23T13:47:58.920Z"); return t}()),
	// 		ProductComponentName: to.Ptr("testName"),
	// 		ProductName: to.Ptr("Azure Security Center"),
	// 		RemediationSteps: []*string{
	// 			to.Ptr("No further action is needed.")},
	// 			ResourceIdentifiers: []armsecurity.ResourceIdentifierClassification{
	// 				&armsecurity.AzureResourceIdentifier{
	// 					Type: to.Ptr(armsecurity.ResourceIdentifierTypeAzureResource),
	// 					AzureResourceID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1"),
	// 				},
	// 				&armsecurity.LogAnalyticsIdentifier{
	// 					Type: to.Ptr(armsecurity.ResourceIdentifierTypeLogAnalytics),
	// 					AgentID: to.Ptr("75724a01-f021-4aa8-9ec2-329792373e6e"),
	// 					WorkspaceID: to.Ptr("f419f624-acad-4d89-b86d-f62fa387f019"),
	// 					WorkspaceResourceGroup: to.Ptr("myRg1"),
	// 					WorkspaceSubscriptionID: to.Ptr("20ff7fc3-e762-44dd-bd96-b71116dcdc23"),
	// 			}},
	// 			Severity: to.Ptr(armsecurity.AlertSeverityHigh),
	// 			StartTimeUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-02-22T00:00:00.000Z"); return t}()),
	// 			Status: to.Ptr(armsecurity.AlertStatusActive),
	// 			SubTechniques: []*string{
	// 				to.Ptr("T1059.001"),
	// 				to.Ptr("T1059.006"),
	// 				to.Ptr("T1053.002")},
	// 				SupportingEvidence: &armsecurity.AlertPropertiesSupportingEvidence{
	// 					AdditionalProperties: map[string]any{
	// 						"supportingEvidenceList": []any{
	// 							map[string]any{
	// 								"type": "nestedList",
	// 								"evidenceElements":[]any{
	// 									map[string]any{
	// 										"type": "evidenceElement",
	// 										"innerElements": nil,
	// 										"text":map[string]any{
	// 											"arguments":map[string]any{
	// 												"domainName":map[string]any{
	// 													"type": "string",
	// 													"value": "domainName",
	// 												},
	// 												"sensitiveEnumerationTypes":map[string]any{
	// 													"type": "string[]",
	// 													"value":[]any{
	// 														"UseDesKey",
	// 													},
	// 												},
	// 											},
	// 											"fallback": "Actor enumerated UseDesKey on domain1.test.local",
	// 											"localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
	// 										},
	// 									},
	// 								},
	// 							},
	// 							map[string]any{
	// 								"type": "tabularEvidences",
	// 								"columns":[]any{
	// 									"Date",
	// 									"Activity",
	// 									"User",
	// 									"TestedText",
	// 									"TestedValue",
	// 								},
	// 								"rows":[]any{
	// 									[]any{
	// 										"2022-01-17T07:03:52.034Z",
	// 										"Log on",
	// 										"testUser",
	// 										"false",
	// 										false,
	// 									},
	// 									[]any{
	// 										"2022-01-17T07:03:52.034Z",
	// 										"Log on",
	// 										"testUser2",
	// 										"false",
	// 										false,
	// 									},
	// 									[]any{
	// 										"2022-01-17T07:03:52.034Z",
	// 										"Log on",
	// 										"testUser3",
	// 										"true",
	// 										true,
	// 									},
	// 								},
	// 								"title": "Investigate activity test",
	// 							},
	// 						},
	// 					},
	// 					Type: to.Ptr("supportingEvidenceList"),
	// 				},
	// 				SystemAlertID: to.Ptr("2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a"),
	// 				Techniques: []*string{
	// 					to.Ptr("T1059"),
	// 					to.Ptr("T1053"),
	// 					to.Ptr("T1072")},
	// 					TimeGeneratedUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2020-02-23T13:47:58.000Z"); return t}()),
	// 					VendorName: to.Ptr("Microsoft"),
	// 					Version: to.Ptr("2022-01-01"),
	// 				},
	// 			}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Get an alert that is associated a resource group or a resource in a resource group
 *
 * @summary Get an alert that is associated a resource group or a resource in a resource group
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json
 */
async function getSecurityAlertOnAResourceGroupFromASecurityDataLocation() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const resourceGroupName = process.env["SECURITY_RESOURCE_GROUP"] || "myRg1";
  const ascLocation = "westeurope";
  const alertName = "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a";
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.alerts.getResourceGroupLevel(
    resourceGroupName,
    ascLocation,
    alertName,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

using Azure;
using Azure.ResourceManager;
using System;
using System.Threading.Tasks;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager.SecurityCenter;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/stable/2022-01-01/examples/Alerts/GetAlertResourceGroupLocation_example.json
// this example is just showing the usage of "Alerts_GetResourceGroupLevel" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://dori-uw-1.kuma-moon.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this ResourceGroupSecurityAlertResource created on azure
// for more information of creating ResourceGroupSecurityAlertResource, please refer to the document of ResourceGroupSecurityAlertResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string resourceGroupName = "myRg1";
AzureLocation ascLocation = new AzureLocation("westeurope");
string alertName = "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a";
ResourceIdentifier resourceGroupSecurityAlertResourceId = ResourceGroupSecurityAlertResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, ascLocation, alertName);
ResourceGroupSecurityAlertResource resourceGroupSecurityAlert = client.GetResourceGroupSecurityAlertResource(resourceGroupSecurityAlertResourceId);

// invoke the operation
ResourceGroupSecurityAlertResource result = await resourceGroupSecurityAlert.GetAsync();

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SecurityAlertData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
  "name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
  "type": "Microsoft.Security/Locations/alerts",
  "properties": {
    "version": "2022-01-01",
    "alertType": "VM_EICAR",
    "systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
    "productComponentName": "testName",
    "alertDisplayName": "Azure Security Center test alert (not a threat)",
    "description": "This is a test alert generated by Azure Security Center. No further action is needed.",
    "severity": "High",
    "intent": "Execution",
    "startTimeUtc": "2020-02-22T00:00:00.0000000Z",
    "endTimeUtc": "2020-02-22T00:00:00.0000000Z",
    "resourceIdentifiers": [
      {
        "azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
        "type": "AzureResource"
      },
      {
        "workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
        "workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
        "workspaceResourceGroup": "myRg1",
        "agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
        "type": "LogAnalytics"
      }
    ],
    "remediationSteps": [
      "No further action is needed."
    ],
    "vendorName": "Microsoft",
    "status": "Active",
    "extendedLinks": [
      {
        "Category": "threat_reports",
        "Label": "Report: RDP Brute Forcing",
        "Href": "https://contoso.com/reports/DisplayReport",
        "Type": "webLink"
      }
    ],
    "alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
    "timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z",
    "productName": "Azure Security Center",
    "processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z",
    "entities": [
      {
        "address": "192.0.2.1",
        "location": {
          "countryCode": "gb",
          "state": "wokingham",
          "city": "sonning",
          "longitude": -0.909,
          "latitude": 51.468,
          "asn": 6584
        },
        "type": "ip"
      }
    ],
    "isIncident": true,
    "correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=",
    "extendedProperties": {
      "Property1": "Property1 information"
    },
    "compromisedEntity": "vm1",
    "techniques": [
      "T1059",
      "T1053",
      "T1072"
    ],
    "subTechniques": [
      "T1059.001",
      "T1059.006",
      "T1053.002"
    ],
    "supportingEvidence": {
      "supportingEvidenceList": [
        {
          "evidenceElements": [
            {
              "text": {
                "arguments": {
                  "sensitiveEnumerationTypes": {
                    "type": "string[]",
                    "value": [
                      "UseDesKey"
                    ]
                  },
                  "domainName": {
                    "type": "string",
                    "value": "domainName"
                  }
                },
                "localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
                "fallback": "Actor enumerated UseDesKey on domain1.test.local"
              },
              "type": "evidenceElement",
              "innerElements": null
            }
          ],
          "type": "nestedList"
        },
        {
          "type": "tabularEvidences",
          "title": "Investigate activity test",
          "columns": [
            "Date",
            "Activity",
            "User",
            "TestedText",
            "TestedValue"
          ],
          "rows": [
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser",
              "false",
              false
            ],
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser2",
              "false",
              false
            ],
            [
              "2022-01-17T07:03:52.034Z",
              "Log on",
              "testUser3",
              "true",
              true
            ]
          ]
        }
      ],
      "type": "supportingEvidenceList"
    }
  }
}

Definitions

Name	Description
Alert	Security alert
AlertEntity	Changing set of properties depending on the entity type.
alertSeverity	The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.
alertStatus	The life cycle status of the alert.
AzureResourceIdentifier	Azure resource identifier.
CloudError	Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
CloudErrorBody	The error detail.
ErrorAdditionalInfo	The resource management error additional info.
intent	The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.
LogAnalyticsIdentifier	Represents a Log Analytics workspace scope identifier.
SupportingEvidence	Changing set of properties depending on the supportingEvidence type.

Alert

Object

Security alert

Name	Type	Description
id	string	Resource Id
name	string	Resource name
properties.alertDisplayName	string	The display name of the alert.
properties.alertType	string	Unique identifier for the detection logic (all alert instances from the same detection logic will have the same alertType).
properties.alertUri	string	A direct link to the alert page in Azure Portal.
properties.compromisedEntity	string	The display name of the resource most related to this alert.
properties.correlationKey	string	Key for corelating related alerts. Alerts with the same correlation key considered to be related.
properties.description	string	Description of the suspicious activity that was detected.
properties.endTimeUtc	string (date-time)	The UTC time of the last event or activity included in the alert in ISO8601 format.
properties.entities	AlertEntity[]	A list of entities related to the alert.
properties.extendedLinks	object[]	Links related to the alert
properties.extendedProperties	object	Custom properties for the alert.
properties.intent	intent	The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.
properties.isIncident	boolean	This field determines whether the alert is an incident (a compound grouping of several alerts) or a single alert.
properties.processingEndTimeUtc	string (date-time)	The UTC processing end time of the alert in ISO8601 format.
properties.productComponentName	string	The name of Azure Security Center pricing tier which powering this alert. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing
properties.productName	string	The name of the product which published this alert (Microsoft Sentinel, Microsoft Defender for Identity, Microsoft Defender for Endpoint, Microsoft Defender for Office, Microsoft Defender for Cloud Apps, and so on).
properties.remediationSteps	string[]	Manual action items to take to remediate the alert.
properties.resourceIdentifiers	ResourceIdentifier[]: AzureResourceIdentifier[] LogAnalyticsIdentifier[]	The resource identifiers that can be used to direct the alert to the right product exposure group (tenant, workspace, subscription etc.). There can be multiple identifiers of different type per alert.
properties.severity	alertSeverity	The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.
properties.startTimeUtc	string (date-time)	The UTC time of the first event or activity included in the alert in ISO8601 format.
properties.status	alertStatus	The life cycle status of the alert.
properties.subTechniques	string[]	Kill chain related sub-techniques behind the alert.
properties.supportingEvidence	SupportingEvidence	Changing set of properties depending on the supportingEvidence type.
properties.systemAlertId	string	Unique identifier for the alert.
properties.techniques	string[]	kill chain related techniques behind the alert.
properties.timeGeneratedUtc	string (date-time)	The UTC time the alert was generated in ISO8601 format.
properties.vendorName	string	The name of the vendor that raises the alert.
properties.version	string	Schema version.
type	string	Resource type

AlertEntity

Object

Changing set of properties depending on the entity type.

Name	Type	Description
type	string	Type of entity

alertSeverity

Enumeration

The risk level of the threat that was detected. Learn more: https://docs.microsoft.com/en-us/azure/security-center/security-center-alerts-overview#how-are-alerts-classified.

Value	Description
Informational	Informational
Low	Low
Medium	Medium
High	High

alertStatus

Enumeration

The life cycle status of the alert.

Value	Description
Active	An alert which doesn't specify a value is assigned the status 'Active'
InProgress	An alert which is in handling state
Resolved	Alert closed after handling
Dismissed	Alert dismissed as false positive

AzureResourceIdentifier

Object

Azure resource identifier.

Name	Type	Description
azureResourceId	string	ARM resource identifier for the cloud resource being alerted on
type	string: AzureResource	There can be multiple identifiers of different type per alert, this field specify the identifier type.

CloudError

Object

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name	Type	Description
error.additionalInfo	ErrorAdditionalInfo[]	The error additional info.
error.code	string	The error code.
error.details	CloudErrorBody[]	The error details.
error.message	string	The error message.
error.target	string	The error target.

CloudErrorBody

Object

The error detail.

Name	Type	Description
additionalInfo	ErrorAdditionalInfo[]	The error additional info.
code	string	The error code.
details	CloudErrorBody[]	The error details.
message	string	The error message.
target	string	The error target.

ErrorAdditionalInfo

Object

The resource management error additional info.

Name	Type	Description
info	object	The additional info.
type	string	The additional info type.

intent

Enumeration

The kill chain related intent behind the alert. For list of supported values, and explanations of Azure Security Center's supported kill chain intents.

Value	Description
Unknown	Unknown
PreAttack	PreAttack could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt, originating from outside the network, to scan the target system and find a way in. Further details on the PreAttack stage can be read in MITRE Pre-Att&ck matrix.
InitialAccess	InitialAccess is the stage where an attacker manages to get foothold on the attacked resource.
Persistence	Persistence is any access, action, or configuration change to a system that gives a threat actor a persistent presence on that system.
PrivilegeEscalation	Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network.
DefenseEvasion	Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses.
CredentialAccess	Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment.
Discovery	Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network.
LateralMovement	Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems.
Execution	The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system.
Collection	Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.
Exfiltration	Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network.
CommandAndControl	The command and control tactic represents how adversaries communicate with systems under their control within a target network.
Impact	Impact events primarily try to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process.
Probing	Probing could be either an attempt to access a certain resource regardless of a malicious intent, or a failed attempt to gain access to a target system to gather information prior to exploitation.
Exploitation	Exploitation is the stage where an attacker manages to get a foothold on the attacked resource. This stage is relevant for compute hosts and resources such as user accounts, certificates etc.

LogAnalyticsIdentifier

Object

Represents a Log Analytics workspace scope identifier.

Name	Type	Description
agentId	string	(optional) The LogAnalytics agent id reporting the event that this alert is based on.
type	string: LogAnalytics	There can be multiple identifiers of different type per alert, this field specify the identifier type.
workspaceId	string	The LogAnalytics workspace id that stores this alert.
workspaceResourceGroup	string	The azure resource group for the LogAnalytics workspace storing this alert
workspaceSubscriptionId	string pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$	The azure subscription id for the LogAnalytics workspace storing this alert.

SupportingEvidence

Object

Changing set of properties depending on the supportingEvidence type.

Name	Type	Description
type	string	Type of the supportingEvidence