List Alerts
List alerts that are associated with the subscription. You can further filter the alerts by location or resource group.
External Documentation
To learn more, visit the Microsoft Defender For Cloud documentation.
Parameters
| Parameter | Description |
|---|---|
| ASC Location | The location of the Azure Security Center which stores the data of the subscription. |
| Resource Group Name | The name of the resource group within the user's subscription. The name is case insensitive. |
| Subscription ID | Azure subscription ID. |
Example Output
{
"nextLink": "https://management.azure.com:443/subscriptions/a303ce4e-302e-471a-8188-4dab418ce9ea/providers/Microsoft.Security/locations/centralus/alerts?api-version=2022-01-01&$skipToken=eyJOZXh0UGFydGl0aW9uS2V5IjoiMSE0OCFZVE13TTJObE5HVXRNekF5WlMwME56RmhMVGd4T0RndE5HUmhZalF4T0dObE9XVmgiLCJOZXh0Um93S2V5IjoiMSE3NiFNalV4TnpFek16azROalV4T0RjNE5UTXpObDh6Tm1KaVpEQmtaUzAzTjJVMkxUUTJNamt0T0ROaVl5MWhabUkyWmpjd1pUWmtOR1UtIiwiTmV4dFRhYmxlTmFtZSI6bnVsbCwiVGFyZ2V0TG9jYXRpb24iOjB9",
"value": [
{
"id": "/subscriptions/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517131536270165181_4fcdbd42-eff9-47e3-8f87-ef6737638fa7",
"name": "2517131536270165181_4fcdbd42-eff9-47e3-8f87-ef6737638fa7",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"status": "Dismissed",
"timeGeneratedUtc": "2023-07-12T07:32:56.6180185Z",
"processingEndTimeUtc": "2023-07-12T07:32:54.9834818Z",
"version": "2022-01-01.0",
"vendorName": "Microsoft",
"productName": "Microsoft Defender for Cloud",
"productComponentName": "App Service",
"alertType": "SIMULATED_APPS_WpThemeInjection",
"startTimeUtc": "2023-07-12T07:32:52.9834818Z",
"endTimeUtc": "2023-07-12T07:32:52.9834818Z",
"severity": "High",
"isIncident": false,
"systemAlertId": "2517131536270165181_4fcdbd42-eff9-47e3-8f87-ef6737638fa7",
"intent": "Unknown",
"resourceIdentifiers": [
{
"$id": "centralus_161",
"azureResourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"type": "AzureResource",
"azureResourceTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618"
},
{
"$id": "centralus_162",
"aadTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618",
"type": "AAD"
}
],
"compromisedEntity": "Sample-App",
"alertDisplayName": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected",
"description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.",
"remediationSteps": [
"1. If WordPress is installed, make sure that the application is up to date and automatic updates are enabled.",
"2. If only specific IP addresses should be allowed to access the web app, set IP restrictions (https://docs.microsoft.com/azure/app-service/app-service-ip-restrictions) for it."
],
"extendedProperties": {
"actionTaken": "Detected",
"sample Source IP Addresses": "00.00.00.00",
"sample User Agents": "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:48.0)+Gecko/20100101+Firefox/48.0, Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/63.0.3239.132+Safari/537.36",
"last Event Time": "12/11/2019 12:34:27 AM",
"sample Referer": "-",
"sample URIs": "/login.php",
"resourceType": "App Service"
},
"entities": [
{
"$id": "centralus_163",
"hostName": "Sample-App",
"azureID": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"asset": false,
"type": "host"
},
{
"$id": "centralus_164",
"resourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"resourceType": "App Service",
"resourceName": "Sample-App",
"metadata": {
"isGraphCenter": true
},
"asset": true,
"type": "azure-resource"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517131536270165181_4fcdbd42-eff9-47e3-8f87-ef6737638fa7/subscriptionId/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus"
}
},
{
"id": "/subscriptions/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroups/Sample-RG/providers/Microsoft.Security/locations/centralus/alerts/2517131536290165181_d37ef06e-0350-4cd5-9314-4dfd884b5bd2",
"name": "2517131536290165181_d37ef06e-0350-4cd5-9314-4dfd884b5bd2",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"status": "Active",
"timeGeneratedUtc": "2023-07-12T07:32:55.3212895Z",
"processingEndTimeUtc": "2023-07-12T07:32:54.9834818Z",
"version": "2022-01-01.0",
"vendorName": "Microsoft",
"productName": "Microsoft Defender for Cloud",
"productComponentName": "App Service",
"alertType": "SIMULATED_MaliciousContent-AzureWebApps",
"startTimeUtc": "2023-07-12T07:32:50.9834818Z",
"endTimeUtc": "2023-07-12T07:32:50.9834818Z",
"severity": "High",
"isIncident": false,
"systemAlertId": "2517131536290165181_d37ef06e-0350-4cd5-9314-4dfd884b5bd2",
"intent": "Collection",
"resourceIdentifiers": [
{
"$id": "centralus_165",
"azureResourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"type": "AzureResource",
"azureResourceTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618"
},
{
"$id": "centralus_166",
"aadTenantId": "b903ec40-8a55-469a-81bf-2f6a26736618",
"type": "AAD"
}
],
"compromisedEntity": "Sample-App",
"alertDisplayName": "[SAMPLE ALERT] Phishing content hosted on Azure Webapps",
"description": "THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.",
"remediationSteps": [
"1. Use Azure Web Sites Process Explorer and try to identify unknown running processes (see https://blogs.msdn.microsoft.com/waws/2014/11/14/viewing-process-information-for-microsoft-azure-web-sites/)",
"2. Escalate the alert to the information security team."
],
"extendedProperties": {
"url": "https://sample.azurewebsites.net",
"resourceType": "App Service"
},
"entities": [
{
"$id": "centralus_167",
"url": "https://sample.azurewebsites.net",
"asset": false,
"type": "url"
},
{
"$id": "centralus_168",
"resourceId": "/SUBSCRIPTIONS/a303ce4e-302e-471a-8188-4dab418ce9ea/RESOURCEGROUPS/Sample-RG/providers/Microsoft.Web/sites/Sample-App",
"resourceType": "App Service",
"resourceName": "Sample-App",
"metadata": {
"isGraphCenter": true
},
"asset": true,
"type": "azure-resource"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517131536290165181_d37ef06e-0350-4cd5-9314-4dfd884b5bd2/subscriptionId/a303ce4e-302e-471a-8188-4dab418ce9ea/resourceGroup/Sample-RG/referencedFrom/alertDeepLink/location/centralus"
}
},
]
}
Workflow Library Example
List Alerts with Microsoft Defender for Cloud and Send Results Via Email
Preview this Workflow on desktop