Skip to main content

tenant security alerts list

Gets the security alerts for a tenant

Usage

m365 tenant security alerts list [options]

Options

--vendor [vendor]

The vendor to return alerts for. Possible values Azure Advanced Threat Protection, Azure Security Center, Microsoft Cloud App Security, Azure Active Directory Identity Protection, Azure Sentinel, Microsoft Defender ATP. If omitted, all alerts are returned

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is options.

--query [query]

JMESPath query string. See http://jmespath.org/ for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.

--verbose

Runs command with verbose logging.

--debug

Runs command with debug logging.

Examples

Get all security alerts for a tenant

m365 tenant security alerts list

Get security alerts for a vendor with name Azure Sentinel

m365 tenant security alerts list --vendor "Azure Sentinel"

Response

[
  {
      "id": "2517536653831539999_658fa695-a5e6-4b60-ac7c-b2c1396df384",
      "azureTenantId": "b8e1599d-b418-4be9-8f39-df03c3abe27a",
      "azureSubscriptionId": "ee390228-e284-4e54-a464-d693a1d55540",
      "riskScore": null,
      "tags": [],
      "activityGroupName": null,
      "assignedTo": null,
      "category": "Storage.Blob_GeoAnomaly",
      "closedDateTime": null,
      "comments": [],
      "confidence": null,
      "createdDateTime": "2022-03-30T13:19:15.8039138Z",
      "description": "Someone has accessed your Azure Storage account 'westeuropegivcekj' from an unusual location.",
      "detectionIds": [],
      "eventDateTime": "2022-03-30T10:16:56.846Z",
      "feedback": null,
      "incidentIds": [],
      "lastEventDateTime": null,
      "lastModifiedDateTime": "2022-03-30T13:19:48.5196488Z",
      "recommendedActions": [
        "• Limit access to your storage account, following the 'least privilege' principle: https://go.microsoft.com/fwlink/?linkid=2187303.• Consider using identity-based authentication: https://go.microsoft.com/fwlink/?linkid=2187202.• Consider rotating the storage account access keys and ensure that your access tokens are only shared with authorized users.• Ensure that storage access tokens are stored in a secured location such as Azure Key Vault. Avoid storing or sharing storage access tokens in source code, documentation, and email."
      ],
      "severity": "low",
      "sourceMaterials": [
        "https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/2517536653831539999_658fa695-a5e6-4b60-ac7c-b2c1396df384/subscriptionId/bbdf91d0-d75b-430e-b738-2c525452144f/resourceGroup/managed-rg-purview-mip-poc/referencedFrom/alertDeepLink/location/westeurope"
      ],
      "status": "newAlert",
      "title": "Access from an unusual location to a storage blob container",
      "CustomProperties": "[\"{\\\"Alert Id\\\":\\\"658fa695-a5e6-4b60-ac7c-b2c1396df384\\\",\\\"Azure AD user\\\":\\\"N/A (Azure AD user authentication was not used)\\\",\\\"User agent\\\":\\\"Azure-Storage/9.3.0 (.NET Core)\\\",\\\"API type\\\":\\\"Blob\\\",\\\"Client location\\\":\\\"Dublin, Ireland\\\",\\\"Authentication type\\\":\\\"Shared access signature (SAS)\\\",\\\"Investigation steps\\\":\\\"{\\\\\\\"displayValue\\\\\\\":\\\\\\\"View related storage activity using Storage Analytics Logging. See how to configure Storage Analytics logging and more information\\\\\\\",\\\\\\\"kind\\\\\\\":\\\\\\\"Link\\\\\\\",\\\\\\\"value\\\\\\\":\\\\\\\"https:\\\\\\\\/\\\\\\\\/go.microsoft.com\\\\\\\\/fwlink\\\\\\\\/?linkid=2075734\\\\\\\"}\\\",\\\"Operations types\\\":\\\"GetBlob\\\",\\\"Service type\\\":\\\"Azure Blobs\\\",\\\"Container\\\":\\\"temporary\\\",\\\"Potential causes\\\":\\\"This alert indicates that this account has been accessed successfully from an IP address that is unfamiliar and unexpected compared to recent access pattern on this account.\\\\\\Potential causes:\\\\\\• An attacker has accessed your storage account.\\\\\\• A legitimate user has accessed your storage account from a new location.\\\",\\\"resourceType\\\":\\\"Storage\\\",\\\"ReportingSystem\\\":\\\"Azure\\\"}\",\"\\\"InitialAccess\\\"\"]",
      "vendorInformation": {
        "provider": "ASC",
        "providerVersion": null,
        "subProvider": "StorageThreatDetection",
        "vendor": "Microsoft"
      },
      "alertDetections": [],
      "cloudAppStates": [],
      "fileStates": [],
      "hostStates": [],
      "historyStates": [],
      "investigationSecurityStates": [],
      "malwareStates": [],
      "messageSecurityStates": [],
      "networkConnections": [
        {
          "applicationName": null,
          "destinationAddress": null,
          "destinationDomain": null,
          "destinationLocation": null,
          "destinationPort": null,
          "destinationUrl": null,
          "direction": null,
          "domainRegisteredDateTime": null,
          "localDnsName": null,
          "natDestinationAddress": null,
          "natDestinationPort": null,
          "natSourceAddress": null,
          "natSourcePort": null,
          "protocol": "tcp",
          "riskScore": null,
          "sourceAddress": "52.214.204.49",
          "sourceLocation": "Dublin, Dublin, IE",
          "sourcePort": null,
          "status": null,
          "urlParameters": null
        }
      ],
      "processes": [],
      "registryKeyStates": [],
      "securityResources": [
        {
          "resource": "/subscriptions/bbdf91d0-d75b-430e-b738-2c525452144f/resourceGroups/managed-rg-purview-mip-poc/providers/Microsoft.Storage/storageAccounts/scanwesteuropegivcebj",
          "resourceType": "attacked"
        }
      ],
      "triggers": [],
      "userStates": [],
      "uriClickSecurityStates": [],
      "vulnerabilityStates": []
    }
]
CTRL + M