Get Alert
Get an alert that is associated with a subscription.
External Documentation
To learn more, visit the Microsoft Defender For Cloud documentation.
Parameters
| Parameter | Description |
|---|---|
| ASC Location | The location of the Azure Security Center which stores the data of the subscription. |
| Alert Name | The name of the alert. |
| Subscription ID | Azure subscription ID. |
Example Output
{
"id": "/subscriptions/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517131398922676665_f81f517a-b61e-4c7b-9fc5-82ec0d385de1",
"name": "2517131398922676665_f81f517a-b61e-4c7b-9fc5-82ec0d385de1",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"status": "Active",
"timeGeneratedUtc": "2023-07-12T11:21:50.1666649Z",
"processingEndTimeUtc": "2023-07-12T11:21:49.7323334Z",
"version": "2022-01-01.0",
"vendorName": "Microsoft",
"productName": "Microsoft Defender for Cloud",
"productComponentName": "App Service",
"alertType": "SIMULATED_APPS_WpThemeInjection",
"startTimeUtc": "2023-07-12T11:21:47.7323334Z",
"endTimeUtc": "2023-07-12T11:21:47.7323334Z",
"severity": "High",
"isIncident": false,
"systemAlertId": "2517131398922676665_f81f517a-b61e-4c7b-9fc5-82ec0d385de1",
"intent": "Unknown",
"resourceIdentifiers": [
{
"$id": "centralus_1",
"azureResourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"type": "AzureResource",
"azureResourceTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618"
},
{
"$id": "centralus_2",
"aadTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618",
"type": "AAD"
}
],
"compromisedEntity": "Sample-App",
"alertDisplayName": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected",
"description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.",
"remediationSteps": [
"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.",
"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it."
],
"extendedProperties": {
"actionTaken": "Detected",
"sample Source IP Addresses": "00.00.00.00",
"sample User Agents": "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36",
"last Event Time": "12/11/2019 12:34:27 AM",
"sample Referer": "-",
"sample URIs": "/login.php",
"resourceType": "App Service"
},
"entities": [
{
"$id": "centralus_3",
"hostName": "Sample-App",
"azureID": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"asset": false,
"type": "host"
},
{
"$id": "centralus_4",
"resourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"resourceType": "App Service",
"resourceName": "Sample-App",
"metadata": {
"isGraphCenter": true
},
"asset": true,
"type": "azure-resource"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517131398922676665_f81f517a-b61e-4c7b-9fc5-82ec0d385de1/subscriptionId/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus"
}
}
Workflow Library Example
Get Alert with Microsoft Defender for Cloud and Send Results Via Email
Preview this Workflow on desktop