List Alerts
List alerts from Microsoft Defender for Cloud.
For more information on the API for listing alerts, see List Alerts (opens in a new tab).
SDK Import:
from admyral.actions import list_ms_defender_for_cloud_alertsArguments:
| Argument Name | Description | Required |
|---|---|---|
Start Time start_time | The start time for the cases to list. Must be in ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ). | - |
End Time end_time | The end time for the cases to list. Must be in ISO 8601 format (YYYY-MM-DDTHH:MM:SSZ). | - |
Limit limit | The maximum number of cases to list. Default: 100 | Yes |
Returns
A JSON array of alerts.
Required Secrets
| Secret Placeholder | Description |
|---|---|
AZURE_SECRET | MS Defender for Cloud secret. See MS Defender for Cloud setup |
SDK Example
alerts = list_ms_defender_for_cloud_alerts(
secrets={"AZURE_SECRET": "my_azure_secret"}
)Example Output:
{
"value": [
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA",
"name": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"version": "2022-01-01",
"alertType": "VM_EICAR",
"systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"productComponentName": "testName",
"alertDisplayName": "Azure Security Center test alert (not a threat)",
"description": "This is a test alert generated by Azure Security Center. No further action is needed.",
"severity": "High",
"intent": "Execution",
"startTimeUtc": "2020-02-22T00:00:00.0000000Z",
"endTimeUtc": "2020-02-22T00:00:00.0000000Z",
"resourceIdentifiers": [
{
"azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"type": "AzureResource"
},
{
"workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
"workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"workspaceResourceGroup": "myRg1",
"agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
"type": "LogAnalytics"
}
],
"remediationSteps": ["No further action is needed."],
"vendorName": "Microsoft",
"status": "Active",
"extendedLinks": [
{
"Category": "threat_reports",
"Label": "Report: RDP Brute Forcing",
"Href": "https://contoso.com/reports/DisplayReport",
"Type": "webLink"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
"timeGeneratedUtc": "2020-02-23T13:47:58.0000000Z",
"productName": "Azure Security Center",
"processingEndTimeUtc": "2020-02-23T13:47:58.9205584Z",
"entities": [
{
"address": "192.0.2.1",
"location": {
"countryCode": "gb",
"state": "wokingham",
"city": "sonning",
"longitude": -0.909,
"latitude": 51.468,
"asn": 6584
},
"type": "ip"
}
],
"isIncident": true,
"correlationKey": "kso0LFWxzCll5tqrk5hmrBJ+MY1BX806W6q6+0s9Lk=",
"extendedProperties": {
"Property1": "Property1 information"
},
"compromisedEntity": "vm1",
"techniques": ["T1059", "T1053", "T1072"],
"subTechniques": ["T1059.001", "T1059.006", "T1053.002"],
"supportingEvidence": {
"type": "tabularEvidences",
"title": "Investigate activity test",
"columns": [
"Date",
"Activity",
"User",
"TestedText",
"TestedValue"
],
"rows": [
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser2",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser3",
"true",
true
]
]
}
}
},
{
"id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"name": "2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22",
"type": "Microsoft.Security/Locations/alerts",
"properties": {
"version": "2022-01-01",
"alertType": "VM_SuspiciousScreenSaver",
"systemAlertId": "2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a",
"productComponentName": "testName2",
"alertDisplayName": "Suspicious Screensaver process executed",
"description": "The process ‘c:\\users\\contosoUser\\scrsave.scr’ was observed executing from an uncommon location. Files with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.",
"severity": "Medium",
"intent": "Execution",
"startTimeUtc": "2019-05-07T13:51:45.0045913Z",
"endTimeUtc": "2019-05-07T13:51:45.0045913Z",
"resourceIdentifiers": [
{
"azureResourceId": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
"type": "AzureResource"
},
{
"workspaceId": "f419f624-acad-4d89-b86d-f62fa387f019",
"workspaceSubscriptionId": "20ff7fc3-e762-44dd-bd96-b71116dcdc23",
"workspaceResourceGroup": "myRg1",
"agentId": "75724a01-f021-4aa8-9ec2-329792373e6e",
"type": "LogAnalytics"
}
],
"remediationSteps": [
"1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)",
"2. Make sure the machine is completely updated and has an updated anti-malware application installed",
"3. Run a full anti-malware scan and verify that the threat was removed",
"4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)",
"5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)",
"6. Escalate the alert to the information security team"
],
"vendorName": "Microsoft",
"status": "Active",
"extendedLinks": [
{
"Category": "threat_reports",
"Label": "Report: RDP Brute Forcing",
"Href": "https://contoso.com/reports/DisplayReport",
"Type": "webLink"
}
],
"alertUri": "https://portal.azure.com/#blade/Microsoft_Azure_Security/AlertBlade/alertId/2518298467986649999_4d25bfef-2d77-4a08-adc0-3e35715cc92a/subscriptionId/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroup/myRg1/referencedFrom/alertDeepLink/location/westeurope",
"timeGeneratedUtc": "2019-05-07T13:51:48.3810457Z",
"productName": "Azure Security Center",
"processingEndTimeUtc": "2019-05-07T13:51:48.9810457Z",
"entities": [
{
"dnsDomain": "",
"ntDomain": "",
"hostName": "vm2",
"netBiosName": "vm2",
"azureID": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2",
"omsAgentID": "45b44640-3b94-4892-a28c-4a5cae27065a",
"operatingSystem": "Unknown",
"type": "host",
"OsVersion": null
},
{
"name": "contosoUser",
"ntDomain": "vm2",
"logonId": "0x61450d87",
"sid": "S-1-5-21-2144575486-8928446540-5163864319-500",
"type": "account"
},
{
"directory": "c:\\windows\\system32",
"name": "cmd.exe",
"type": "file"
},
{
"processId": "0x3c44",
"type": "process"
},
{
"directory": "c:\\users\\contosoUser",
"name": "scrsave.scr",
"type": "file"
},
{
"processId": "0x4aec",
"commandLine": "c:\\users\\contosoUser\\scrsave.scr",
"creationTimeUtc": "2018-05-07T13:51:45.0045913Z",
"type": "process"
}
],
"isIncident": true,
"correlationKey": "4hno6LF0xzCl5tqrk4nrBW+MY1BX816W6q6+0srk4",
"compromisedEntity": "vm2",
"extendedProperties": {
"domain name": "vm2",
"user name": "vm2\\contosoUser",
"process name": "c:\\users\\contosoUser\\scrsave.scr",
"command line": "c:\\users\\contosoUser\\scrsave.scr",
"parent process": "cmd.exe",
"process id": "0x4aec",
"account logon id": "0x61450d87",
"user SID": "S-1-5-21-2144575486-8928446540-5163864319-500",
"parent process id": "0x3c44",
"resourceType": "Virtual Machine"
},
"techniques": ["T1059", "T1053", "T1072"],
"subTechniques": ["T1059.001", "T1059.006", "T1053.002"],
"supportingEvidence": {
"supportingEvidenceList": [
{
"evidenceElements": [
{
"text": {
"arguments": {
"sensitiveEnumerationTypes": {
"type": "string[]",
"value": ["UseDesKey"]
},
"domainName": {
"type": "string",
"value": "domainName"
}
},
"localizationKey": "AATP_ALERTS_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT_EVIDENCE_ENUMERATION_DETAIL_A7C00BD7",
"fallback": "Actor enumerated UseDesKey on domain1.test.local"
},
"type": "evidenceElement",
"innerElements": null
}
],
"type": "nestedList"
},
{
"type": "tabularEvidences",
"title": "Investigate activity test",
"columns": [
"Date",
"Activity",
"User",
"TestedText",
"TestedValue"
],
"rows": [
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser2",
"false",
false
],
[
"2022-01-17T07:03:52.034Z",
"Log on",
"testUser3",
"true",
true
]
]
}
],
"type": "supportingEvidenceList"
}
}
}
]
}