Incidents - List Alerts
Gets all alerts for an incident.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts?api-version=2024-09-01
URI Parameters
Name | In | Required | Type | Description |
---|---|---|---|---|
incident
|
path | True |
string |
Incident ID |
resource
|
path | True |
string |
The name of the resource group. The name is case insensitive. |
subscription
|
path | True |
string uuid |
The ID of the target subscription. The value must be an UUID. |
workspace
|
path | True |
string |
The name of the workspace. Regex pattern: |
api-version
|
query | True |
string |
The API version to use for this operation. |
Responses
Name | Type | Description |
---|---|---|
200 OK |
OK |
|
Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
Name | Description |
---|---|
user_impersonation | impersonate your user account |
Examples
Get all incident alerts.
Sample request
POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/alerts?api-version=2024-09-01
Sample response
{
"value": [
{
"id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"name": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"type": "Microsoft.SecurityInsights/Entities",
"kind": "SecurityAlert",
"properties": {
"systemAlertId": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
"tactics": [],
"alertDisplayName": "myAlert",
"confidenceLevel": "Unknown",
"severity": "Low",
"vendorName": "Microsoft",
"productName": "Azure Security Center",
"alertType": "myAlert",
"processingEndTime": "2020-07-20T18:21:53.6158361Z",
"status": "New",
"endTimeUtc": "2020-07-20T18:21:53.6158361Z",
"startTimeUtc": "2020-07-20T18:21:53.6158361Z",
"timeGenerated": "2020-07-20T18:21:53.6158361Z",
"resourceIdentifiers": [
{
"type": "LogAnalytics",
"workspaceId": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b",
"subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a",
"resourceGroup": "myRG"
}
],
"additionalData": {
"AlertMessageEnqueueTime": "2020-07-20T18:21:57.304Z"
},
"friendlyName": "myAlert"
}
}
]
}
Definitions
Name | Description |
---|---|
Alert |
The severity of the alert |
Alert |
The lifecycle status of the alert. |
Attack |
The severity for alerts created by this alert rule. |
Cloud |
Error response structure. |
Cloud |
Error details. |
Confidence |
The confidence level of this alert. |
Confidence |
The confidence reasons |
Confidence |
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. |
created |
The type of identity that created the resource. |
Entity |
The kind of the aggregated entity. |
Incident |
List of incident alerts. |
Kill |
Holds the alert intent stage(s) mapping for this alert. |
Security |
Represents a security alert entity. |
system |
Metadata pertaining to creation and last modification of the resource. |
AlertSeverity
The severity of the alert
Name | Type | Description |
---|---|---|
High |
string |
High severity |
Informational |
string |
Informational severity |
Low |
string |
Low severity |
Medium |
string |
Medium severity |
AlertStatus
The lifecycle status of the alert.
Name | Type | Description |
---|---|---|
Dismissed |
string |
Alert dismissed as false positive |
InProgress |
string |
Alert is being handled |
New |
string |
New alert |
Resolved |
string |
Alert closed after handling |
Unknown |
string |
Unknown value |
AttackTactic
The severity for alerts created by this alert rule.
Name | Type | Description |
---|---|---|
Collection |
string |
|
CommandAndControl |
string |
|
CredentialAccess |
string |
|
DefenseEvasion |
string |
|
Discovery |
string |
|
Execution |
string |
|
Exfiltration |
string |
|
Impact |
string |
|
ImpairProcessControl |
string |
|
InhibitResponseFunction |
string |
|
InitialAccess |
string |
|
LateralMovement |
string |
|
Persistence |
string |
|
PreAttack |
string |
|
PrivilegeEscalation |
string |
|
Reconnaissance |
string |
|
ResourceDevelopment |
string |
CloudError
Error response structure.
Name | Type | Description |
---|---|---|
error |
Error data |
CloudErrorBody
Error details.
Name | Type | Description |
---|---|---|
code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
ConfidenceLevel
The confidence level of this alert.
Name | Type | Description |
---|---|---|
High |
string |
High confidence that the alert is true positive malicious |
Low |
string |
Low confidence, meaning we have some doubts this is indeed malicious or part of an attack |
Unknown |
string |
Unknown confidence, the is the default value |
ConfidenceReasons
The confidence reasons
Name | Type | Description |
---|---|---|
reason |
string |
The reason's description |
reasonType |
string |
The type (category) of the reason |
ConfidenceScoreStatus
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.
Name | Type | Description |
---|---|---|
Final |
string |
Final score was calculated and available |
InProcess |
string |
No score was set yet and calculation is in progress |
NotApplicable |
string |
Score will not be calculated for this alert as it is not supported by virtual analyst |
NotFinal |
string |
Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data |
createdByType
The type of identity that created the resource.
Name | Type | Description |
---|---|---|
Application |
string |
|
Key |
string |
|
ManagedIdentity |
string |
|
User |
string |
EntityKindEnum
The kind of the aggregated entity.
Name | Type | Description |
---|---|---|
Account |
string |
Entity represents account in the system. |
AzureResource |
string |
Entity represents azure resource in the system. |
Bookmark |
string |
Entity represents bookmark in the system. |
CloudApplication |
string |
Entity represents cloud application in the system. |
DnsResolution |
string |
Entity represents dns resolution in the system. |
File |
string |
Entity represents file in the system. |
FileHash |
string |
Entity represents file hash in the system. |
Host |
string |
Entity represents host in the system. |
IoTDevice |
string |
Entity represents IoT device in the system. |
Ip |
string |
Entity represents ip in the system. |
MailCluster |
string |
Entity represents mail cluster in the system. |
MailMessage |
string |
Entity represents mail message in the system. |
Mailbox |
string |
Entity represents mailbox in the system. |
Malware |
string |
Entity represents malware in the system. |
Process |
string |
Entity represents process in the system. |
RegistryKey |
string |
Entity represents registry key in the system. |
RegistryValue |
string |
Entity represents registry value in the system. |
SecurityAlert |
string |
Entity represents security alert in the system. |
SecurityGroup |
string |
Entity represents security group in the system. |
SubmissionMail |
string |
Entity represents submission mail in the system. |
Url |
string |
Entity represents url in the system. |
IncidentAlertList
List of incident alerts.
Name | Type | Description |
---|---|---|
value |
Array of incident alerts. |
KillChainIntent
Holds the alert intent stage(s) mapping for this alert.
Name | Type | Description |
---|---|---|
Collection |
string |
Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
CommandAndControl |
string |
The command and control tactic represents how adversaries communicate with systems under their control within a target network. |
CredentialAccess |
string |
Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment. |
DefenseEvasion |
string |
Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. |
Discovery |
string |
Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase. |
Execution |
string |
The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network. |
Exfiltration |
string |
Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate. |
Exploitation |
string |
Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage. |
Impact |
string |
The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others. |
LateralMovement |
string |
Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect. |
Persistence |
string |
Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access. |
PrivilegeEscalation |
string |
Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege. |
Probing |
string |
Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in. |
Unknown |
string |
The default value. |
SecurityAlert
Represents a security alert entity.
Name | Type | Description |
---|---|---|
id |
string |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
kind | string: |
The kind of the entity. |
name |
string |
The name of the resource |
properties.additionalData |
object |
A bag of custom fields that should be part of the entity and will be presented to the user. |
properties.alertDisplayName |
string |
The display name of the alert. |
properties.alertLink |
string |
The uri link of the alert. |
properties.alertType |
string |
The type name of the alert. |
properties.compromisedEntity |
string |
Display name of the main entity being reported on. |
properties.confidenceLevel |
The confidence level of this alert. |
|
properties.confidenceReasons |
The confidence reasons |
|
properties.confidenceScore |
number |
The confidence score of the alert. |
properties.confidenceScoreStatus |
The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final. |
|
properties.description |
string |
Alert description. |
properties.endTimeUtc |
string |
The impact end time of the alert (the time of the last event contributing to the alert). |
properties.friendlyName |
string |
The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated. |
properties.intent |
Holds the alert intent stage(s) mapping for this alert. |
|
properties.processingEndTime |
string |
The time the alert was made available for consumption. |
properties.productComponentName |
string |
The name of a component inside the product which generated the alert. |
properties.productName |
string |
The name of the product which published this alert. |
properties.productVersion |
string |
The version of the product generating the alert. |
properties.providerAlertId |
string |
The identifier of the alert inside the product which generated the alert. |
properties.remediationSteps |
string[] |
Manual action items to take to remediate the alert. |
properties.resourceIdentifiers |
object[] |
The list of resource identifiers of the alert. |
properties.severity |
The severity of the alert |
|
properties.startTimeUtc |
string |
The impact start time of the alert (the time of the first event contributing to the alert). |
properties.status |
The lifecycle status of the alert. |
|
properties.systemAlertId |
string |
Holds the product identifier of the alert for the product. |
properties.tactics |
The tactics of the alert |
|
properties.timeGenerated |
string |
The time the alert was generated. |
properties.vendorName |
string |
The name of the vendor that raise the alert. |
systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
systemData
Metadata pertaining to creation and last modification of the resource.
Name | Type | Description |
---|---|---|
createdAt |
string |
The timestamp of resource creation (UTC). |
createdBy |
string |
The identity that created the resource. |
createdByType |
The type of identity that created the resource. |
|
lastModifiedAt |
string |
The timestamp of resource last modification (UTC) |
lastModifiedBy |
string |
The identity that last modified the resource. |
lastModifiedByType |
The type of identity that last modified the resource. |