Incidents - List Alerts

Gets all alerts for an incident.

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts?api-version=2024-03-01

URI Parameters

Name In Required Type Description
incidentId
path True

string

Incident ID

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

uuid

The ID of the target subscription. The value must be an UUID.

workspaceName
path True

string

The name of the workspace.

Regex pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$

api-version
query True

string

The API version to use for this operation.

Responses

Name Type Description
200 OK

IncidentAlertList

OK

Other Status Codes

CloudError

Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Get all incident alerts.

Sample request

POST https://management.azure.com/subscriptions/d0cfe6b2-9ac0-4464-9919-dccaee2e48c0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/incidents/afbd324f-6c48-459c-8710-8d1e1cd03812/alerts?api-version=2024-03-01

Sample response

{
  "value": [
    {
      "id": "/subscriptions/bd794837-4d29-4647-9105-6339bfdb4e6a/resourceGroups/myRG/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/Entities/baa8a239-6fde-4ab7-a093-d09f7b75c58c",
      "name": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
      "type": "Microsoft.SecurityInsights/Entities",
      "kind": "SecurityAlert",
      "properties": {
        "systemAlertId": "baa8a239-6fde-4ab7-a093-d09f7b75c58c",
        "tactics": [],
        "alertDisplayName": "myAlert",
        "confidenceLevel": "Unknown",
        "severity": "Low",
        "vendorName": "Microsoft",
        "productName": "Azure Security Center",
        "alertType": "myAlert",
        "processingEndTime": "2020-07-20T18:21:53.6158361Z",
        "status": "New",
        "endTimeUtc": "2020-07-20T18:21:53.6158361Z",
        "startTimeUtc": "2020-07-20T18:21:53.6158361Z",
        "timeGenerated": "2020-07-20T18:21:53.6158361Z",
        "resourceIdentifiers": [
          {
            "type": "LogAnalytics",
            "workspaceId": "c8c99641-985d-4e4e-8e91-fb3466cd0e5b",
            "subscriptionId": "bd794837-4d29-4647-9105-6339bfdb4e6a",
            "resourceGroup": "myRG"
          }
        ],
        "additionalData": {
          "AlertMessageEnqueueTime": "2020-07-20T18:21:57.304Z"
        },
        "friendlyName": "myAlert"
      }
    }
  ]
}

Definitions

Name Description
AlertSeverity

The severity of the alert

AlertStatus

The lifecycle status of the alert.

AttackTactic

The severity for alerts created by this alert rule.

CloudError

Error response structure.

CloudErrorBody

Error details.

ConfidenceLevel

The confidence level of this alert.

ConfidenceReasons

The confidence reasons

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

createdByType

The type of identity that created the resource.

EntityKindEnum

The kind of the aggregated entity.

IncidentAlertList

List of incident alerts.

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

SecurityAlert

Represents a security alert entity.

systemData

Metadata pertaining to creation and last modification of the resource.

AlertSeverity

The severity of the alert

Name Type Description
High

string

High severity

Informational

string

Informational severity

Low

string

Low severity

Medium

string

Medium severity

AlertStatus

The lifecycle status of the alert.

Name Type Description
Dismissed

string

Alert dismissed as false positive

InProgress

string

Alert is being handled

New

string

New alert

Resolved

string

Alert closed after handling

Unknown

string

Unknown value

AttackTactic

The severity for alerts created by this alert rule.

Name Type Description
Collection

string

CommandAndControl

string

CredentialAccess

string

DefenseEvasion

string

Discovery

string

Execution

string

Exfiltration

string

Impact

string

ImpairProcessControl

string

InhibitResponseFunction

string

InitialAccess

string

LateralMovement

string

Persistence

string

PreAttack

string

PrivilegeEscalation

string

Reconnaissance

string

ResourceDevelopment

string

CloudError

Error response structure.

Name Type Description
error

CloudErrorBody

Error data

CloudErrorBody

Error details.

Name Type Description
code

string

An identifier for the error. Codes are invariant and are intended to be consumed programmatically.

message

string

A message describing the error, intended to be suitable for display in a user interface.

ConfidenceLevel

The confidence level of this alert.

Name Type Description
High

string

High confidence that the alert is true positive malicious

Low

string

Low confidence, meaning we have some doubts this is indeed malicious or part of an attack

Unknown

string

Unknown confidence, the is the default value

ConfidenceReasons

The confidence reasons

Name Type Description
reason

string

The reason's description

reasonType

string

The type (category) of the reason

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

Name Type Description
Final

string

Final score was calculated and available

InProcess

string

No score was set yet and calculation is in progress

NotApplicable

string

Score will not be calculated for this alert as it is not supported by virtual analyst

NotFinal

string

Score is calculated and shown as part of the alert, but may be updated again at a later time following the processing of additional data

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

EntityKindEnum

The kind of the aggregated entity.

Name Type Description
Account

string

Entity represents account in the system.

AzureResource

string

Entity represents azure resource in the system.

Bookmark

string

Entity represents bookmark in the system.

CloudApplication

string

Entity represents cloud application in the system.

DnsResolution

string

Entity represents dns resolution in the system.

File

string

Entity represents file in the system.

FileHash

string

Entity represents file hash in the system.

Host

string

Entity represents host in the system.

IoTDevice

string

Entity represents IoT device in the system.

Ip

string

Entity represents ip in the system.

MailCluster

string

Entity represents mail cluster in the system.

MailMessage

string

Entity represents mail message in the system.

Mailbox

string

Entity represents mailbox in the system.

Malware

string

Entity represents malware in the system.

Process

string

Entity represents process in the system.

RegistryKey

string

Entity represents registry key in the system.

RegistryValue

string

Entity represents registry value in the system.

SecurityAlert

string

Entity represents security alert in the system.

SecurityGroup

string

Entity represents security group in the system.

SubmissionMail

string

Entity represents submission mail in the system.

Url

string

Entity represents url in the system.

IncidentAlertList

List of incident alerts.

Name Type Description
value

SecurityAlert[]

Array of incident alerts.

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

Name Type Description
Collection

string

Collection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

CommandAndControl

string

The command and control tactic represents how adversaries communicate with systems under their control within a target network.

CredentialAccess

string

Credential access represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. With sufficient access within a network, an adversary can create accounts for later use within the environment.

DefenseEvasion

string

Defense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation.

Discovery

string

Discovery consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.

Execution

string

The execution tactic represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with lateral movement to expand access to remote systems on a network.

Exfiltration

string

Exfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.

Exploitation

string

Exploitation is the stage where an attacker manage to get foothold on the attacked resource. This stage is applicable not only for compute hosts, but also for resources such as user accounts, certificates etc. Adversaries will often be able to control the resource after this stage.

Impact

string

The impact intent primary objective is to directly reduce the availability or integrity of a system, service, or network; including manipulation of data to impact a business or operational process. This would often refer to techniques such as ransom-ware, defacement, data manipulation and others.

LateralMovement

string

Lateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool. An adversary can use lateral movement for many purposes, including remote Execution of tools, pivoting to additional systems, access to specific information or files, access to additional credentials, or to cause an effect.

Persistence

string

Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

PrivilegeEscalation

string

Privilege escalation is the result of actions that allow an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.

Probing

string

Probing could be an attempt to access a certain resource regardless of a malicious intent or a failed attempt to gain access to a target system to gather information prior to exploitation. This step is usually detected as an attempt originating from outside the network in attempt to scan the target system and find a way in.

Unknown

string

The default value.

SecurityAlert

Represents a security alert entity.

Name Type Description
id

string

Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"

kind string:

SecurityAlert

The kind of the entity.

name

string

The name of the resource

properties.additionalData

object

A bag of custom fields that should be part of the entity and will be presented to the user.

properties.alertDisplayName

string

The display name of the alert.

properties.alertLink

string

The uri link of the alert.

properties.alertType

string

The type name of the alert.

properties.compromisedEntity

string

Display name of the main entity being reported on.

properties.confidenceLevel

ConfidenceLevel

The confidence level of this alert.

properties.confidenceReasons

ConfidenceReasons[]

The confidence reasons

properties.confidenceScore

number

The confidence score of the alert.

properties.confidenceScoreStatus

ConfidenceScoreStatus

The confidence score calculation status, i.e. indicating if score calculation is pending for this alert, not applicable or final.

properties.description

string

Alert description.

properties.endTimeUtc

string

The impact end time of the alert (the time of the last event contributing to the alert).

properties.friendlyName

string

The graph item display name which is a short humanly readable description of the graph item instance. This property is optional and might be system generated.

properties.intent

KillChainIntent

Holds the alert intent stage(s) mapping for this alert.

properties.processingEndTime

string

The time the alert was made available for consumption.

properties.productComponentName

string

The name of a component inside the product which generated the alert.

properties.productName

string

The name of the product which published this alert.

properties.productVersion

string

The version of the product generating the alert.

properties.providerAlertId

string

The identifier of the alert inside the product which generated the alert.

properties.remediationSteps

string[]

Manual action items to take to remediate the alert.

properties.resourceIdentifiers

object[]

The list of resource identifiers of the alert.

properties.severity

AlertSeverity

The severity of the alert

properties.startTimeUtc

string

The impact start time of the alert (the time of the first event contributing to the alert).

properties.status

AlertStatus

The lifecycle status of the alert.

properties.systemAlertId

string

Holds the product identifier of the alert for the product.

properties.tactics

AttackTactic[]

The tactics of the alert

properties.timeGenerated

string

The time the alert was generated.

properties.vendorName

string

The name of the vendor that raise the alert.

systemData

systemData

Azure Resource Manager metadata containing createdBy and modifiedBy information.

type

string

The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.