Share via

Assessments Metadata - List By Subscription

  • Reference
Service:
Defender for Cloud
API Version:
2021-06-01

Get metadata information on all assessment types in a specific subscription

GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01

URI Parameters

Name In Required Type Description
subscriptionId
 path True

string

Azure subscription ID

Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$
api-version
 query True

string

API version for the operation

Responses

Name Type Description
200 OK

SecurityAssessmentMetadataResponseList

OK
Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

List security assessment metadata for subscription

Sample request

GET https://management.azure.com/subscriptions/0980887d-03d6-408c-9566-532f3456804e/providers/Microsoft.Security/assessmentMetadata?api-version=2021-06-01

Sample response

Status code:
200 
{
  "value": [
    {
      "id": "/providers/Microsoft.Security/assessmentMetadata/21300918-b2e3-0346-785f-c77ff57d243b",
      "name": "21300918-b2e3-0346-785f-c77ff57d243b",
      "type": "Microsoft.Security/assessmentMetadata",
      "properties": {
        "displayName": "Install endpoint protection solution on virtual machine scale sets",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de",
        "description": "Install an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities.",
        "remediationDescription": "To install an endpoint protection solution: 1.  <a href=\"https://docs.microsoft.com/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-faq#how-do-i-turn-on-antimalware-in-my-virtual-machine-scale-set\">Follow the instructions in How do I turn on antimalware in my virtual machine scale set</a>",
        "categories": [
          "Compute"
        ],
        "severity": "Medium",
        "userImpact": "Low",
        "implementationEffort": "Low",
        "threats": [
          "dataExfiltration",
          "dataSpillage",
          "maliciousInsider"
        ],
        "publishDates": {
          "GA": "06/01/2021",
          "public": "06/01/2021"
        },
        "plannedDeprecationDate": "03/2022",
        "tactics": [
          "Credential Access",
          "Persistence",
          "Execution",
          "Defense Evasion",
          "Collection",
          "Discovery",
          "Privilege Escalation"
        ],
        "techniques": [
          "Obfuscated Files or Information",
          "Ingress Tool Transfer",
          "Phishing",
          "User Execution"
        ],
        "assessmentType": "BuiltIn"
      }
    },
    {
      "id": "/providers/Microsoft.Security/assessmentMetadata/bc303248-3d14-44c2-96a0-55f5c326b5fe",
      "name": "bc303248-3d14-44c2-96a0-55f5c326b5fe",
      "type": "Microsoft.Security/assessmentMetadata",
      "properties": {
        "displayName": "Close management ports on your virtual machines",
        "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917",
        "description": "Open remote management ports expose your VM to a high level of risk from internet-based attacks that attempt to brute force credentials to gain admin access to the machine.",
        "remediationDescription": "We recommend that you edit the inbound rules of the below virtual machines to restrict access to specific source ranges.<br>To restrict the access to your virtual machines: 1. Click on a VM from the list below 2. At the 'Networking' blade, click on each of the rules that allow management ports (e.g. RDP-3389, WINRM-5985, SSH-22) 3. Change the 'Action' property to 'Deny' 4. Click 'Save'",
        "categories": [
          "Networking"
        ],
        "severity": "Medium",
        "userImpact": "High",
        "implementationEffort": "Low",
        "threats": [
          "dataExfiltration",
          "dataSpillage",
          "maliciousInsider"
        ],
        "publishDates": {
          "GA": "06/01/2021",
          "public": "06/01/2021"
        },
        "preview": true,
        "assessmentType": "CustomPolicy"
      }
    }
  ]
}

Definitions

Name Description
assessmentType

BuiltIn if the assessment based on built-in Azure Policy definition, Custom if the assessment based on custom Azure Policy definition
categories
CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).
CloudErrorBody

The error detail.
ErrorAdditionalInfo

The resource management error additional info.
implementationEffort

The implementation effort required to remediate this assessment
PublishDates
SecurityAssessmentMetadataPartnerData

Describes the partner that created the assessment
SecurityAssessmentMetadataResponse

Security assessment metadata response
SecurityAssessmentMetadataResponseList

List of security assessment metadata
severity

The severity level of the assessment
tactics
techniques
threats
userImpact

The user impact of the assessment

assessmentType

BuiltIn if the assessment based on built-in Azure Policy definition, Custom if the assessment based on custom Azure Policy definition

Name Type Description
BuiltIn

string

Microsoft Defender for Cloud managed assessments
CustomPolicy

string

User defined policies that are automatically ingested from Azure Policy to Microsoft Defender for Cloud
CustomerManaged

string

User assessments pushed directly by the user or other third party to Microsoft Defender for Cloud
VerifiedPartner

string

An assessment that was created by a verified 3rd party if the user connected it to ASC

categories

Name Type Description
Compute

string

Data

string

IdentityAndAccess

string

IoT

string

Networking

string

CloudError

Common error response for all Azure Resource Manager APIs to return error details for failed operations. (This also follows the OData error response format.).

Name Type Description
error.additionalInfo

ErrorAdditionalInfo[]

The error additional info.
error.code

string

The error code.
error.details

CloudErrorBody[]

The error details.
error.message

string

The error message.
error.target

string

The error target.

CloudErrorBody

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.
code

string

The error code.
details

CloudErrorBody[]

The error details.
message

string

The error message.
target

string

The error target.

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.
type

string

The additional info type.

implementationEffort

The implementation effort required to remediate this assessment

Name Type Description
High

string

Low

string

Moderate

string

PublishDates

Name Type Description
GA

string

public

string

SecurityAssessmentMetadataPartnerData

Describes the partner that created the assessment

Name Type Description
partnerName

string

Name of the company of the partner
productName

string

Name of the product of the partner that created the assessment
secret

string

Secret to authenticate the partner and verify it created the assessment - write only

SecurityAssessmentMetadataResponse

Security assessment metadata response

Name Type Description
id

string

Resource Id
name

string

Resource name
properties.assessmentType

assessmentType

BuiltIn if the assessment based on built-in Azure Policy definition, Custom if the assessment based on custom Azure Policy definition
properties.categories

categories[]

The categories of resource that is at risk when the assessment is unhealthy
properties.description

string

Human readable description of the assessment
properties.displayName

string

User friendly display name of the assessment
properties.implementationEffort

implementationEffort

The implementation effort required to remediate this assessment
properties.partnerData

SecurityAssessmentMetadataPartnerData

Describes the partner that created the assessment
properties.plannedDeprecationDate

string

properties.policyDefinitionId

string

Azure resource ID of the policy definition that turns this assessment calculation on
properties.preview

boolean

True if this assessment is in preview release status
properties.publishDates

PublishDates

properties.remediationDescription

string

Human readable description of what you should do to mitigate this security issue
properties.severity

severity

The severity level of the assessment
properties.tactics

tactics[]

Tactic of the assessment
properties.techniques

techniques[]

Techniques of the assessment
properties.threats

threats[]

Threats impact of the assessment
properties.userImpact

userImpact

The user impact of the assessment
type

string

Resource type

SecurityAssessmentMetadataResponseList

List of security assessment metadata

Name Type Description
nextLink

string

The URI to fetch the next page.
value

SecurityAssessmentMetadataResponse[]

Security assessment metadata response

severity

The severity level of the assessment

Name Type Description
High

string

Low

string

Medium

string

tactics

Name Type Description
Collection

string

Command and Control

string

Credential Access

string

Defense Evasion

string

Discovery

string

Execution

string

Exfiltration

string

Impact

string

Initial Access

string

Lateral Movement

string

Persistence

string

Privilege Escalation

string

Reconnaissance

string

Resource Development

string

techniques

Name Type Description
Abuse Elevation Control Mechanism

string

Access Token Manipulation

string

Account Discovery

string

Account Manipulation

string

Active Scanning

string

Application Layer Protocol

string

Audio Capture

string

Boot or Logon Autostart Execution

string

Boot or Logon Initialization Scripts

string

Brute Force

string

Cloud Infrastructure Discovery

string

Cloud Service Dashboard

string

Cloud Service Discovery

string

Command and Scripting Interpreter

string

Compromise Client Software Binary

string

Compromise Infrastructure

string

Container and Resource Discovery

string

Create Account

string

Create or Modify System Process

string

Credentials from Password Stores

string

Data Destruction

string

Data Encrypted for Impact

string

Data Manipulation

string

Data Staged

string

Data from Cloud Storage Object

string

Data from Configuration Repository

string

Data from Information Repositories

string

Data from Local System

string

Defacement

string

Deobfuscate/Decode Files or Information

string

Disk Wipe

string

Domain Trust Discovery

string

Drive-by Compromise

string

Dynamic Resolution

string

Endpoint Denial of Service

string

Event Triggered Execution

string

Exfiltration Over Alternative Protocol

string

Exploit Public-Facing Application

string

Exploitation for Client Execution

string

Exploitation for Credential Access

string

Exploitation for Defense Evasion

string

Exploitation for Privilege Escalation

string

Exploitation of Remote Services

string

External Remote Services

string

Fallback Channels

string

File and Directory Discovery

string

File and Directory Permissions Modification

string

Gather Victim Network Information

string

Hide Artifacts

string

Hijack Execution Flow

string

Impair Defenses

string

Implant Container Image

string

Indicator Removal on Host

string

Indirect Command Execution

string

Ingress Tool Transfer

string

Input Capture

string

Inter-Process Communication

string

Lateral Tool Transfer

string

Man-in-the-Middle

string

Masquerading

string

Modify Authentication Process

string

Modify Registry

string

Network Denial of Service

string

Network Service Scanning

string

Network Sniffing

string

Non-Application Layer Protocol

string

Non-Standard Port

string

OS Credential Dumping

string

Obfuscated Files or Information

string

Obtain Capabilities

string

Office Application Startup

string

Permission Groups Discovery

string

Phishing

string

Pre-OS Boot

string

Process Discovery

string

Process Injection

string

Protocol Tunneling

string

Proxy

string

Query Registry

string

Remote Access Software

string

Remote Service Session Hijacking

string

Remote Services

string

Remote System Discovery

string

Resource Hijacking

string

SQL Stored Procedures

string

Scheduled Task/Job

string

Screen Capture

string

Search Victim-Owned Websites

string

Server Software Component

string

Service Stop

string

Signed Binary Proxy Execution

string

Software Deployment Tools

string

Steal or Forge Kerberos Tickets

string

Subvert Trust Controls

string

Supply Chain Compromise

string

System Information Discovery

string

Taint Shared Content

string

Traffic Signaling

string

Transfer Data to Cloud Account

string

Trusted Relationship

string

Unsecured Credentials

string

User Execution

string

Valid Accounts

string

Windows Management Instrumentation

string

threats

Name Type Description
accountBreach

string

dataExfiltration

string

dataSpillage

string

denialOfService

string

elevationOfPrivilege

string

maliciousInsider

string

missingCoverage

string

threatResistance

string

userImpact

The user impact of the assessment

Name Type Description
High

string

Low

string

Moderate

string