{ "swagger": "2.0", "schemes": [ "https" ], "host": "management.azure.com", "info": { "description": "API spec for Microsoft.Security (Azure Security Center) resource provider", "title": "Security Center", "version": "2015-06-01-preview", "x-apisguru-categories": [ "cloud" ], "x-logo": { "url": "https://api.apis.guru/v2/cache/logo/https_assets.onestore.ms_cdnfiles_onestorerolling-1606-01000_shell_v3_images_logo_microsoft.png" }, "x-origin": [ { "format": "swagger", "url": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/security/resource-manager/Microsoft.Security/preview/2015-06-01-preview/alerts.json", "version": "2.0" } ], "x-preferred": false, "x-providerName": "azure.com", "x-serviceName": "security-alerts", "x-tags": [ "Azure", "Microsoft" ] }, "consumes": [ "application/json" ], "produces": [ "application/json" ], "securityDefinitions": { "azure_auth": { "authorizationUrl": "https://login.microsoftonline.com/common/oauth2/authorize", "description": "Azure Active Directory OAuth2 Flow", "flow": "implicit", "scopes": { "user_impersonation": "impersonate your user account" }, "type": "oauth2" } }, "security": [ { "azure_auth": [ "user_impersonation" ] } ], "parameters": { "AlertName": { "description": "Name of the alert object", "in": "path", "name": "alertName", "required": true, "type": "string", "x-ms-parameter-location": "method" } }, "paths": { "/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts": { "get": { "description": "List all the alerts that are associated with the subscription", "operationId": "Alerts_List", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "OData filter. Optional.", "in": "query", "name": "$filter", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData select. Optional.", "in": "query", "name": "$select", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData expand. Optional.", "in": "query", "name": "$expand", "required": false, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a subscription": { "parameters": { "api-version": "2015-06-01-preview", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "properties": { "actionTaken": "Detected", "alertDisplayName": "Suspicious Screensaver process executed", "alertName": "SuspiciousScreenSaver", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "canBeInvestigated": true, "compromisedEntity": "vm2", "confidenceReasons": [ { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "cmd.exe appeared in multiple alerts of the same type", "type": "Process" } ], "confidenceScore": 0.3, "correlationKey": "CCso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0sWqs=", "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", "entities": [ { "OsVersion": null, "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "dnsDomain": "", "hostName": "vm2", "netBiosName": "vm2", "ntDomain": "", "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", "operatingSystem": "Unknown", "type": "host" }, { "logonId": "0x61450d87", "name": "contosoUser", "ntDomain": "vm2", "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", "type": "account" }, { "directory": "c:\\windows\\system32", "name": "cmd.exe", "type": "file" }, { "directory": "c:\\users\\contosoUser", "name": "scrsave.scr", "type": "file" }, { "commandLine": "c:\\users\\contosoUser\\scrsave.scr", "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", "processId": "0x4aec", "type": "process" } ], "extendedProperties": { "account logon id": "0x61450d87", "command line": "c:\\users\\contosoUser\\scrsave.scr", "domain name": "vm2", "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", "parent process": "cmd.exe", "parent process id": "0x3c44", "process id": "0x4aec", "process name": "c:\\users\\contosoUser\\scrsave.scr", "resourceType": "Virtual Machine", "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", "user name": "vm2\\contosoUser" }, "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", "reportedSeverity": "Low", "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", "state": "Active", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "systemSource": "Azure", "vendorName": "Microsoft", "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "description": "List all the alerts that are associated with the subscription that are stored in a specific location", "operationId": "Alerts_ListSubscriptionLevelAlertsByRegion", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "description": "OData filter. Optional.", "in": "query", "name": "$filter", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData select. Optional.", "in": "query", "name": "$select", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData expand. Optional.", "in": "query", "name": "$expand", "required": false, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a subscription from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" }, { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "properties": { "actionTaken": "Detected", "alertDisplayName": "Suspicious Screensaver process executed", "alertName": "SuspiciousScreenSaver", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "canBeInvestigated": true, "compromisedEntity": "vm2", "confidenceReasons": [ { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "Suspicious process execution history for this subscription", "type": "Process" }, { "reason": "cmd.exe appeared in multiple alerts of the same type", "type": "Process" } ], "confidenceScore": 0.3, "correlationKey": "6Lso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9MY1", "description": "The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.", "detectedTimeUtc": "2018-05-07T13:51:45.0045913Z", "entities": [ { "OsVersion": null, "azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2", "dnsDomain": "", "hostName": "vm2", "netBiosName": "vm2", "ntDomain": "", "omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a", "operatingSystem": "Unknown", "type": "host" }, { "logonId": "0x61450d87", "name": "contosoUser", "ntDomain": "vm2", "sid": "S-1-5-21-2144575486-8928446540-5163864319-500", "type": "account" }, { "directory": "c:\\windows\\system32", "name": "cmd.exe", "type": "file" }, { "processId": "0x3c44", "type": "process" }, { "directory": "c:\\users\\contosoUser", "name": "scrsave.scr", "type": "file" }, { "commandLine": "c:\\users\\contosoUser\\scrsave.scr", "creationTimeUtc": "2018-05-07T13:51:45.0045913Z", "processId": "0x4aec", "type": "process" } ], "extendedProperties": { "account logon id": "0x61450d87", "command line": "c:\\users\\contosoUser\\scrsave.scr", "domain name": "vm2", "enrichment_tas_threat__reports": "{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}", "parent process": "cmd.exe", "parent process id": "0x3c44", "process id": "0x4aec", "process name": "c:\\users\\contosoUser\\scrsave.scr", "resourceType": "Virtual Machine", "user SID": "S-1-5-21-2144575486-8928446540-5163864319-500", "user name": "vm2\\contosoUser" }, "instanceId": "2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "remediationSteps": "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team", "reportedSeverity": "Low", "reportedTimeUtc": "2018-05-07T13:51:48.3810457Z", "state": "Active", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "systemSource": "Azure", "vendorName": "Microsoft", "workspaceArmId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "description": "Get an alert that is associated with a subscription", "operationId": "Alerts_GetSubscriptionLevelAlert", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alert on a subscription from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } } } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToDismiss", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateSubscriptionLevelAlertStateToReactivate", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a subscription from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts": { "get": { "description": "List all the alerts that are associated with the resource group", "operationId": "Alerts_ListByResourceGroup", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData filter. Optional.", "in": "query", "name": "$filter", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData select. Optional.", "in": "query", "name": "$select", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData expand. Optional.", "in": "query", "name": "$expand", "required": false, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a resource group": { "parameters": { "api-version": "2015-06-01-preview", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts": { "get": { "description": "List all the alerts that are associated with the resource group that are stored in a specific location", "operationId": "Alerts_ListResourceGroupLevelAlertsByRegion", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData filter. Optional.", "in": "query", "name": "$filter", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData select. Optional.", "in": "query", "name": "$select", "required": false, "type": "string", "x-ms-parameter-location": "method" }, { "description": "OData expand. Optional.", "in": "query", "name": "$expand", "required": false, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/AlertList" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alerts on a resource group from a security data location": { "parameters": { "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "value": [ { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } ] } } } } }, "x-ms-pageable": { "nextLinkName": "nextLink" } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}": { "get": { "description": "Get an alert that is associated a resource group or a resource in a resource group", "operationId": "Alerts_GetResourceGroupLevelAlerts", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "200": { "description": "OK", "schema": { "$ref": "#/definitions/Alert" } }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Get security alert on a resource group from a security data location": { "parameters": { "alertName": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg1", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "200": { "body": { "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "name": "2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA", "properties": { "actionTaken": "Detected", "alertDisplayName": "Threat Intelligence Alert", "alertName": "ThreatIntelligence", "associatedResource": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1", "canBeInvestigated": true, "compromisedEntity": "vm1", "confidenceReasons": [ { "reason": "Some user reason", "type": "User" }, { "reason": "Some proccess reason", "type": "Process" }, { "reason": "Some computer reason", "type": "Computer" } ], "confidenceScore": 0.8, "correlationKey": "Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=", "description": "Process was detected running on the host and is considered to be suspicious, verify that the user run it", "detectedTimeUtc": "2018-05-01T19:50:47.083633Z", "entities": [ { "address": "192.0.2.1", "location": { "asn": 6584, "city": "sonning", "countryCode": "gb", "latitude": 51.468, "longitude": -0.909, "state": "wokingham" }, "threatIntelligence": [ { "confidence": 0.8, "providerName": "Team Cymru", "reportLink": "http://www.microsoft.com", "threatDescription": "In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.", "threatName": "rarog", "threatType": "C2" } ], "type": "ip" } ], "extendedProperties": { "attacker IP": "192.0.2.1", "domain Name": "Contoso", "resourceType": "Virtual Machine", "user Name": "administrator" }, "instanceId": "f144ee95-a3e5-42da-a279-967d115809aa", "isIncident": false, "remediationSteps": "verify that the user invoked this process\r\nrun antimalware scan of the VM", "reportedSeverity": "High", "reportedTimeUtc": "2018-05-02T05:36:12.2089889Z", "state": "Dismissed", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23", "vendorName": "Microsoft" }, "type": "Microsoft.Security/Locations/alerts" } } } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToDismiss", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "parameters": { "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg2", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } }, "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate": { "post": { "description": "Update the alert's state", "operationId": "Alerts_UpdateResourceGroupLevelAlertStateToReactivate", "parameters": [ { "description": "API version for the operation", "in": "query", "name": "api-version", "required": true, "type": "string" }, { "description": "Azure subscription ID", "in": "path", "name": "subscriptionId", "pattern": "^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$", "required": true, "type": "string" }, { "description": "The location where ASC stores the data of the subscription. can be retrieved from Get locations", "in": "path", "name": "ascLocation", "required": true, "type": "string", "x-ms-parameter-location": "client" }, { "$ref": "#/parameters/AlertName" }, { "description": "The name of the resource group within the user's subscription. The name is case insensitive.", "in": "path", "maxLength": 90, "minLength": 1, "name": "resourceGroupName", "pattern": "^[-\\w\\._\\(\\)]+$", "required": true, "type": "string", "x-ms-parameter-location": "method" } ], "responses": { "204": { "description": "No Content" }, "default": { "description": "Error response describing why the operation failed.", "schema": { "description": "Error response structure.", "properties": { "error": { "description": "Error details.", "properties": { "code": { "description": "An identifier for the error. Codes are invariant and are intended to be consumed programmatically.", "readOnly": true, "type": "string" }, "message": { "description": "A message describing the error, intended to be suitable for display in a user interface.", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-external": true } }, "type": "object", "x-ms-external": true } } }, "tags": [ "Alerts" ], "x-ms-examples": { "Update security alert state on a resource group from a security data location": { "parameters": { "alertName": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22", "alertUpdateActionType": "Dismiss", "api-version": "2015-06-01-preview", "ascLocation": "westeurope", "resourceGroupName": "myRg2", "subscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23" }, "responses": { "204": {} } } } } } }, "definitions": { "Alert": { "allOf": [ { "description": "Describes an Azure resource.", "properties": { "id": { "description": "Resource Id", "readOnly": true, "type": "string" }, "name": { "description": "Resource name", "readOnly": true, "type": "string" }, "type": { "description": "Resource type", "readOnly": true, "type": "string" } }, "type": "object", "x-ms-azure-resource": true } ], "description": "Security alert", "properties": { "properties": { "$ref": "#/definitions/AlertProperties", "x-ms-client-flatten": true } }, "type": "object" }, "AlertConfidenceReason": { "description": "Factors that increase our confidence that the alert is a true positive", "properties": { "reason": { "description": "description of the confidence reason", "readOnly": true, "type": "string" }, "type": { "description": "Type of confidence factor", "readOnly": true, "type": "string" } }, "type": "object" }, "AlertEntity": { "additionalProperties": true, "description": "Changing set of properties depending on the entity type.", "properties": { "type": { "description": "Type of entity", "readOnly": true, "type": "string" } }, "type": "object" }, "AlertExtendedProperties": { "additionalProperties": true, "description": "Changing set of properties depending on the alert type.", "type": "object" }, "AlertList": { "description": "List of security alerts", "properties": { "nextLink": { "description": "The URI to fetch the next page.", "readOnly": true, "type": "string" }, "value": { "items": { "$ref": "#/definitions/Alert" }, "type": "array" } }, "type": "object" }, "AlertProperties": { "description": "describes security alert properties.", "properties": { "actionTaken": { "description": "The action that was taken as a response to the alert (Active, Blocked etc.)", "readOnly": true, "type": "string" }, "alertDisplayName": { "description": "Display name of the alert type", "readOnly": true, "type": "string" }, "alertName": { "description": "Name of the alert type", "readOnly": true, "type": "string" }, "associatedResource": { "description": "Azure resource ID of the associated resource", "readOnly": true, "type": "string" }, "canBeInvestigated": { "description": "Whether this alert can be investigated with Azure Security Center", "readOnly": true, "type": "boolean" }, "compromisedEntity": { "description": "The entity that the incident happened on", "readOnly": true, "type": "string" }, "confidenceReasons": { "description": "reasons the alert got the confidenceScore value", "items": { "$ref": "#/definitions/AlertConfidenceReason" }, "type": "array" }, "confidenceScore": { "description": "level of confidence we have on the alert", "format": "float", "maximum": 1, "minimum": 0, "readOnly": true, "type": "number" }, "correlationKey": { "description": "Alerts with the same CorrelationKey will be grouped together in Ibiza.", "readOnly": true, "type": "string" }, "description": { "description": "Description of the incident and what it means", "readOnly": true, "type": "string" }, "detectedTimeUtc": { "description": "The time the incident was detected by the vendor", "format": "date-time", "readOnly": true, "type": "string" }, "entities": { "description": "objects that are related to this alerts", "items": { "$ref": "#/definitions/AlertEntity" }, "type": "array" }, "extendedProperties": { "$ref": "#/definitions/AlertExtendedProperties" }, "instanceId": { "description": "Instance ID of the alert.", "readOnly": true, "type": "string" }, "isIncident": { "description": "Whether this alert is for incident type or not (otherwise - single alert)", "readOnly": true, "type": "boolean" }, "remediationSteps": { "description": "Recommended steps to reradiate the incident", "readOnly": true, "type": "string" }, "reportedSeverity": { "description": "Estimated severity of this alert", "enum": [ "Silent", "Information", "Low", "High" ], "readOnly": true, "type": "string", "x-ms-enum": { "modelAsString": true, "name": "reportedSeverity", "values": [ { "value": "Silent" }, { "value": "Information" }, { "value": "Low" }, { "value": "High" } ] } }, "reportedTimeUtc": { "description": "The time the incident was reported to Microsoft.Security in UTC", "format": "date-time", "readOnly": true, "type": "string" }, "state": { "description": "State of the alert (Active, Dismissed etc.)", "readOnly": true, "type": "string" }, "subscriptionId": { "description": "Azure subscription ID of the resource that had the security alert or the subscription ID of the workspace that this resource reports to", "readOnly": true, "type": "string" }, "systemSource": { "description": "The type of the alerted resource (Azure, Non-Azure)", "readOnly": true, "type": "string" }, "vendorName": { "description": "Name of the vendor that discovered the incident", "readOnly": true, "type": "string" }, "workspaceArmId": { "description": "Azure resource ID of the workspace that the alert was reported to.", "readOnly": true, "type": "string" } }, "type": "object" } } }