Skip to main content

tenant security alerts list

Gets the security alerts for a tenant


m365 tenant security alerts list [options]


--vendor [vendor]

The vendor to return alerts for. Allowed values: Azure Advanced Threat Protection, Azure Security Center, Microsoft Cloud App Security, Azure Active Directory Identity Protection, Azure Sentinel, Microsoft Defender ATP. If omitted, all alerts are returned.

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is options.

--query [query]

JMESPath query string. See for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.


Runs command with verbose logging.


Runs command with debug logging.


Get all security alerts for a tenant

m365 tenant security alerts list

Get security alerts for a vendor with name Azure Sentinel

m365 tenant security alerts list --vendor "Azure Sentinel"


"id": "2517536653831539999_658fa695-a5e6-4b60-ac7c-b2c1396df384",
"azureTenantId": "b8e1599d-b418-4be9-8f39-df03c3abe27a",
"azureSubscriptionId": "ee390228-e284-4e54-a464-d693a1d55540",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "Storage.Blob_GeoAnomaly",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2022-03-30T13:19:15.8039138Z",
"description": "Someone has accessed your Azure Storage account 'westeuropegivcekj' from an unusual location.",
"detectionIds": [],
"eventDateTime": "2022-03-30T10:16:56.846Z",
"feedback": null,
"incidentIds": [],
"lastEventDateTime": null,
"lastModifiedDateTime": "2022-03-30T13:19:48.5196488Z",
"recommendedActions": [
"• Limit access to your storage account, following the 'least privilege' principle:• Consider using identity-based authentication:• Consider rotating the storage account access keys and ensure that your access tokens are only shared with authorized users.• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email."
"severity": "low",
"sourceMaterials": [
"status": "newAlert",
"title": "Access from an unusual location to a storage blob container",
"CustomProperties": "[\"{\\\"Alert Id\\\":\\\"658fa695-a5e6-4b60-ac7c-b2c1396df384\\\",\\\"Microsoft Entra user\\\":\\\"N/A (Microsoft Entra user authentication was not used)\\\",\\\"User agent\\\":\\\"Azure-Storage/9.3.0 (.NET Core)\\\",\\\"API type\\\":\\\"Blob\\\",\\\"Client location\\\":\\\"Dublin, Ireland\\\",\\\"Authentication type\\\":\\\"Shared access signature (SAS)\\\",\\\"Investigation steps\\\":\\\"{\\\\\\\"displayValue\\\\\\\":\\\\\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\\\\\",\\\\\\\"kind\\\\\\\":\\\\\\\"Link\\\\\\\",\\\\\\\"value\\\\\\\":\\\\\\\"https:\\\\\\\\/\\\\\\\\/\\\\\\\\/fwlink\\\\\\\\/?linkid=2075734\\\\\\\"}\\\",\\\"Operations types\\\":\\\"GetBlob\\\",\\\"Service type\\\":\\\"Azure Blobs\\\",\\\"Container\\\":\\\"temporary\\\",\\\"Potential causes\\\":\\\"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\\\\\Potential causes:\\\\\\• An attacker has accessed your storage account.\\\\\\• A legitimate user has accessed your storage account from a new location.\\\",\\\"resourceType\\\":\\\"Storage\\\",\\\"ReportingSystem\\\":\\\"Azure\\\"}\",\"\\\"InitialAccess\\\"\"]",
"vendorInformation": {
"provider": "ASC",
"providerVersion": null,
"subProvider": "StorageThreatDetection",
"vendor": "Microsoft"
"alertDetections": [],
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"investigationSecurityStates": [],
"malwareStates": [],
"messageSecurityStates": [],
"networkConnections": [
"applicationName": null,
"destinationAddress": null,
"destinationDomain": null,
"destinationLocation": null,
"destinationPort": null,
"destinationUrl": null,
"direction": null,
"domainRegisteredDateTime": null,
"localDnsName": null,
"natDestinationAddress": null,
"natDestinationPort": null,
"natSourceAddress": null,
"natSourcePort": null,
"protocol": "tcp",
"riskScore": null,
"sourceAddress": "",
"sourceLocation": "Dublin, Dublin, IE",
"sourcePort": null,
"status": null,
"urlParameters": null
"processes": [],
"registryKeyStates": [],
"securityResources": [
"resource": "/subscriptions/bbdf91d0-d75b-430e-b738-2c525452144f/resourceGroups/managed-rg-purview-mip-poc/providers/Microsoft.Storage/storageAccounts/scanwesteuropegivcebj",
"resourceType": "attacked"
"triggers": [],
"userStates": [],
"uriClickSecurityStates": [],
"vulnerabilityStates": []