{ "value": [ { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8940282b-9b00-434a-bb43-db327536ee19", "name": "8940282b-9b00-434a-bb43-db327536ee19", "etag": "\"dc00539c-0000-0100-0000-60b7b0c90000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Suspicious policy change and secret query in a Key Vault", "description": "THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Key Vault policy change has been made and operations to list and/or get secrets occurred shortly thereafter. In addition, this operation pattern is not normally performed by the user on this vault. This is highly indicative that the Key Vault has been compromised and the secrets within have been stolen by a malicious actor.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:28.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:28.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:41.4891077Z", "createdTimeUtc": "2021-06-02T16:24:41.4891077Z", "incidentNumber": 72, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8940282b-9b00-434a-bb43-db327536ee19" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/2a5b4191-3472-4a59-b229-77d4c00d06e6", "name": "2a5b4191-3472-4a59-b229-77d4c00d06e6", "etag": "\"dc00549c-0000-0100-0000-60b7b0c90000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Suspicious PHP execution detected", "description": "THIS IS A SAMPLE ALERT: Machine logs indicate a that a suspicious PHP process is running. The action included an attempt to run OS commands or PHP code from the command line using the PHP process.\r\nWhile this behavior can be legitimate, in web applications this behavior is also observed in malicious activities such as attempts to infect websites with web shells.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:56.2347217Z", "lastActivityTimeUtc": "2021-06-02T16:23:56.2347217Z", "lastModifiedTimeUtc": "2021-06-02T16:24:41.5919946Z", "createdTimeUtc": "2021-06-02T16:24:41.5919946Z", "incidentNumber": 73, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/2a5b4191-3472-4a59-b229-77d4c00d06e6" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/1f12365e-068c-4ffb-be3e-4eb0e9e2f335", "name": "1f12365e-068c-4ffb-be3e-4eb0e9e2f335", "etag": "\"dc005a9c-0000-0100-0000-60b7b0ca0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] High volume of operations in a Key Vault", "description": "THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the number of vaults that a user or application accesses has changed compared to past historical data. Key Vault activity typically exhibits the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:32.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:32.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.0291834Z", "createdTimeUtc": "2021-06-02T16:24:42.0291834Z", "incidentNumber": 74, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/1f12365e-068c-4ffb-be3e-4eb0e9e2f335" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/47dd1f9f-9313-4887-80a8-db6f60aa41e7", "name": "47dd1f9f-9313-4887-80a8-db6f60aa41e7", "etag": "\"dc00629c-0000-0100-0000-60b7b0ca0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Access from a Tor exit node to a storage account", "description": "THIS IS A SAMPLE ALERT: Someone has accessed your Azure Storage account 'Sample-Storage' from a suspicious IP address (active Tor exit node).", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:04.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:04.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.3635202Z", "createdTimeUtc": "2021-06-02T16:24:42.3635202Z", "incidentNumber": 75, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/47dd1f9f-9313-4887-80a8-db6f60aa41e7" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/365c6aa9-f94f-40b3-bc19-80ff64980025", "name": "365c6aa9-f94f-40b3-bc19-80ff64980025", "etag": "\"dc00649c-0000-0100-0000-60b7b0ca0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Detected suspicious file cleanup commands", "description": "THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected a combination of systeminfo commands that has previously been associated with one of activity group GOLD's methods of performing post-compromise self-cleanup activity. While 'systeminfo.exe' is a legitimate Windows tool, executing it twice in succession, followed by a delete command in the way that has occurred here is rare.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:54.2347217Z", "lastActivityTimeUtc": "2021-06-02T16:23:54.2347217Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.4369356Z", "createdTimeUtc": "2021-06-02T16:24:42.4369356Z", "incidentNumber": 76, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "DefenseEvasion" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/365c6aa9-f94f-40b3-bc19-80ff64980025" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/6513d0e5-9eb5-450f-9f81-3c3df1333c53", "name": "6513d0e5-9eb5-450f-9f81-3c3df1333c53", "etag": "\"dc00669c-0000-0100-0000-60b7b0ca0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Anonymity network activity (Preview)", "description": "THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected anonymity network activity. Such activity, while possibly legitimate user behaviour, is frequently employed by attackers to evade tracking and fingerprinting of network communications. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:42.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:42.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.4873948Z", "createdTimeUtc": "2021-06-02T16:24:42.4873948Z", "incidentNumber": 77, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/6513d0e5-9eb5-450f-9f81-3c3df1333c53" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8e94714f-20cc-4bf7-aa07-7a675e03b5a6", "name": "8e94714f-20cc-4bf7-aa07-7a675e03b5a6", "etag": "\"dc00689c-0000-0100-0000-60b7b0ca0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Detected Petya ransomware indicators", "description": "THIS IS A SAMPLE ALERT: Analysis of host data on OMS-AGENT-2 detected indicators associated with Petya ransomware. See https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ for more information. Review the command line associated in this alert and escalate this alert to your security team.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:52.2347217Z", "lastActivityTimeUtc": "2021-06-02T16:23:52.2347217Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.5911902Z", "createdTimeUtc": "2021-06-02T16:24:42.5911902Z", "incidentNumber": 78, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8e94714f-20cc-4bf7-aa07-7a675e03b5a6" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/f41758ab-3f9e-4471-a16f-574ce5ce8dca", "name": "f41758ab-3f9e-4471-a16f-574ce5ce8dca", "etag": "\"dc006e9c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Communication with possible phishing domain (Preview)", "description": "THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a request for a possible phishing domain. Such activity, while possibly benign, is frequently performed by attackers to harvest credentials to remote services. Typical related attacker activity is likely to include the exploitation of any credentials on the legitimate service.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:38.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:38.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.0150155Z", "createdTimeUtc": "2021-06-02T16:24:43.0150155Z", "incidentNumber": 79, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/f41758ab-3f9e-4471-a16f-574ce5ce8dca" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/711652e9-37ae-4f1b-a96f-fe737b400ad0", "name": "711652e9-37ae-4f1b-a96f-fe737b400ad0", "etag": "\"dc006f9c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Suspicious WordPress theme invocation detected", "description": "THIS IS A SAMPLE ALERT: The Azure App Service activity log indicates a possible code injection activity on your App Service resource.\r\nThe suspicious activity detected resembles that of a manipulation of WordPress theme to support server side execution of code, followed by a direct web request to invoke the manipulated theme file.\r\nThis type of activity was seen in the past as part of an attack campaign over WordPress.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:38.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:38.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.026394Z", "createdTimeUtc": "2021-06-02T16:24:43.026394Z", "incidentNumber": 80, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/711652e9-37ae-4f1b-a96f-fe737b400ad0" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/ee7831c5-49b1-4840-8a99-6ec37f8a7f92", "name": "ee7831c5-49b1-4840-8a99-6ec37f8a7f92", "etag": "\"dc00709c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Attempt to run high privilege command detected", "description": "THIS IS A SAMPLE ALERT: Analysis of App Service processes detected an attempt to run a command that requires high privileges.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:34.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:34.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.0321367Z", "createdTimeUtc": "2021-06-02T16:24:43.0321367Z", "incidentNumber": 81, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/ee7831c5-49b1-4840-8a99-6ec37f8a7f92" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/1674d797-8f22-4704-a897-51aa3ecc3b26", "name": "1674d797-8f22-4704-a897-51aa3ecc3b26", "etag": "\"dc00719c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] User accessed high volume of Key Vaults", "description": "THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a larger volume of Key Vault operations has been performed compared to past historical data. Key Vaults typical exhibit the same behavior over time. This may be a legitimate change in activity but may also indicate that your Key Vault infrastructure has been compromised warranting further investigation.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:34.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:34.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.1010264Z", "createdTimeUtc": "2021-06-02T16:24:43.1010264Z", "incidentNumber": 82, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/1674d797-8f22-4704-a897-51aa3ecc3b26" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/6cf0197b-bcac-4c40-b542-13ef7d0f7154", "name": "6cf0197b-bcac-4c40-b542-13ef7d0f7154", "etag": "\"dc00759c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Permissions granted for an RBAC role in an unusual way for your Azure environment (Preview)", "description": "THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected an RBAC role assignment that's unusual when compared with other assignments, performed by the same assigner.\n The following components were anomalous:\n -Assigner Authentication Method \n This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to grant permissions to an additional user account they own.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:14.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:14.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:42.5978062Z", "createdTimeUtc": "2021-06-02T16:24:42.5978062Z", "incidentNumber": 83, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "DefenseEvasion", "LateralMovement" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/6cf0197b-bcac-4c40-b542-13ef7d0f7154" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/d1fea67e-aef1-4a6a-a7e4-b8ae347e2867", "name": "d1fea67e-aef1-4a6a-a7e4-b8ae347e2867", "etag": "\"dc00799c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Executable found running from a suspicious location", "description": "THIS IS A SAMPLE ALERT: Analysis of host data detected an executable file on Sample-VM that is running from a location in common with known suspicious files. This executable could either be legitimate activity, or an indication of a compromised host.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:00.2347217Z", "lastActivityTimeUtc": "2021-06-02T16:24:00.2347217Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.7964166Z", "createdTimeUtc": "2021-06-02T16:24:43.7964166Z", "incidentNumber": 84, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/d1fea67e-aef1-4a6a-a7e4-b8ae347e2867" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/0667c13e-6ab0-4229-81c4-14f3c4328197", "name": "0667c13e-6ab0-4229-81c4-14f3c4328197", "etag": "\"dc007c9c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Access from a TOR exit node to a Key Vault", "description": "THIS IS A SAMPLE ALERT: While may be benign it could also indicate that the Key Vault has been accessed by someone using the TOR IP anonymization system to hide their true source location. This is suspicious because malicious actors will often try to mask their source location when attempting to gain unauthorized access to internet-connected resources.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:26.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:26.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.8525328Z", "createdTimeUtc": "2021-06-02T16:24:43.8525328Z", "incidentNumber": 85, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/0667c13e-6ab0-4229-81c4-14f3c4328197" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3a19e367-d844-4e04-8ff5-d7a7d1472a9d", "name": "3a19e367-d844-4e04-8ff5-d7a7d1472a9d", "etag": "\"dc007e9c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] CoreDNS modification in Kubernetes detected", "description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a modification of the CoreDNS configuration. The configuration of CoreDNS can be modified by overriding its configmap. While this activity can be legitimate, if attackers have permissions to modify the configmap, they can change the behavior of the cluster’s DNS server and poison it.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:24.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:24.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.8905579Z", "createdTimeUtc": "2021-06-02T16:24:43.8905579Z", "incidentNumber": 86, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "LateralMovement" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3a19e367-d844-4e04-8ff5-d7a7d1472a9d" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/cecaa8ca-93a1-4d7a-bc58-4d9297ca4abf", "name": "cecaa8ca-93a1-4d7a-bc58-4d9297ca4abf", "etag": "\"dc007f9c-0000-0100-0000-60b7b0cb0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Unusual deletion in a storage account", "description": "THIS IS A SAMPLE ALERT: Someone has performed an unusual deletion in your Azure storage account 'Sample-Storage'.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:08.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:08.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.956549Z", "createdTimeUtc": "2021-06-02T16:24:43.956549Z", "incidentNumber": 87, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/cecaa8ca-93a1-4d7a-bc58-4d9297ca4abf" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/41beceff-760a-471c-944b-e00ef92b50d6", "name": "41beceff-760a-471c-944b-e00ef92b50d6", "etag": "\"dc00829c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Attempted communication with suspicious sinkholed domain (Preview)", "description": "THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected request for sinkholed domain. Such activity, while possibly legitimate user behaviour, is frequently an indication of the download or execution of malicious software. Typical related attacker activity is likely to include the download and execution of further malicious software or remote administration tools.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:36.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:36.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.0158541Z", "createdTimeUtc": "2021-06-02T16:24:43.0158541Z", "incidentNumber": 88, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/41beceff-760a-471c-944b-e00ef92b50d6" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/07e4f5d0-aa00-4f90-ba6c-6391844fe6e6", "name": "07e4f5d0-aa00-4f90-ba6c-6391844fe6e6", "etag": "\"dc00839c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Attempted logon by a potentially harmful application", "description": "THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access SQL server 'Sample-SQL'.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:16.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:16.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:43.0274818Z", "createdTimeUtc": "2021-06-02T16:24:43.0274818Z", "incidentNumber": 89, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/07e4f5d0-aa00-4f90-ba6c-6391844fe6e6" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/b1a9bf85-6766-4b54-9e1b-b9b3fb9755f2", "name": "b1a9bf85-6766-4b54-9e1b-b9b3fb9755f2", "etag": "\"dc00849c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Exposed Kubernetes service detected", "description": "THIS IS A SAMPLE ALERT: The Kubernetes audit log analysis detected exposure of a service by a load balancer. This service is related to a sensitive application that allows high impact operations in the cluster such as running processes on the node or creating new containers.\nIn some cases, this service doesn't require authentication. If the service doesn't require authentication, exposing it to the internet poses a security risk.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:22.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:22.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.066669Z", "createdTimeUtc": "2021-06-02T16:24:44.066669Z", "incidentNumber": 90, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "InitialAccess" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/b1a9bf85-6766-4b54-9e1b-b9b3fb9755f2" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8eb431f8-3223-4e0b-86b7-dc1db6efa26b", "name": "8eb431f8-3223-4e0b-86b7-dc1db6efa26b", "etag": "\"dc00869c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Suspicious secret listing and query in a Key Vault", "description": "THIS IS A SAMPLE ALERT: While may be benign it could also indicate that a Secret List operation was followed by numerous Secret Get operations. In addition, this operation pattern is not normally performed by the user on this vault. This is likely indicative that someone is dumping the This is sample alert: secrets stored in the Key Vault for potentially malicious purposes.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:30.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:30.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.2123293Z", "createdTimeUtc": "2021-06-02T16:24:44.2123293Z", "incidentNumber": 91, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/8eb431f8-3223-4e0b-86b7-dc1db6efa26b" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/611a0b21-2faa-4ad1-8286-8169132d9ecd", "name": "611a0b21-2faa-4ad1-8286-8169132d9ecd", "etag": "\"dc00879c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Container with a sensitive volume mount detected", "description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a new container with a sensitive volume mount. The volume that was detected is a hostPath type which mounts a sensitive file or folder from the node to the container. If the container gets compromised, the attacker can use this mount for gaining access to the node.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:24.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:24.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.2277995Z", "createdTimeUtc": "2021-06-02T16:24:44.2277995Z", "incidentNumber": 92, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PrivilegeEscalation" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/611a0b21-2faa-4ad1-8286-8169132d9ecd" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3da327c7-8274-4cb9-bcd9-3dd4f4102ba3", "name": "3da327c7-8274-4cb9-bcd9-3dd4f4102ba3", "etag": "\"dc00899c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Logon from an unusual location", "description": "THIS IS A SAMPLE ALERT: Someone logged on to your SQL server Sample-SQL from an unusual location.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:12.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:12.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.2867685Z", "createdTimeUtc": "2021-06-02T16:24:44.2867685Z", "incidentNumber": 93, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "InitialAccess" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3da327c7-8274-4cb9-bcd9-3dd4f4102ba3" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/29328054-7ad3-4686-be5d-ece846c80e9a", "name": "29328054-7ad3-4686-be5d-ece846c80e9a", "etag": "\"dc008b9c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Custom script extension with suspicious command in your virtual machine (Preview)", "description": "THIS IS A SAMPLE ALERT: Custom script extension with suspicious command was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\nAttackers may use custom script extension to execute a malicious code on your virtual machine via the Azure Resource Manager.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:44.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:44.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.2976618Z", "createdTimeUtc": "2021-06-02T16:24:44.2976618Z", "incidentNumber": 94, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/29328054-7ad3-4686-be5d-ece846c80e9a" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/c099007a-c7d6-4980-851b-2af551472b8f", "name": "c099007a-c7d6-4980-851b-2af551472b8f", "etag": "\"dc008c9c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Dangling DNS record for an App Service resource detected", "description": "THIS IS A SAMPLE ALERT: A DNS record that points to a recently deleted App Service resource (also known as \"dangling DNS\" entry) has been detected. This leaves you susceptible to a subdomain takeover. Subdomain takeovers enable malicious actors to redirect traffic intended for an organization’s domain to a site performing malicious activity.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:32.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:32.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.3089332Z", "createdTimeUtc": "2021-06-02T16:24:44.3089332Z", "incidentNumber": 95, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/c099007a-c7d6-4980-851b-2af551472b8f" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/7b0a7201-58c6-4772-ad28-dc438002ead0", "name": "7b0a7201-58c6-4772-ad28-dc438002ead0", "etag": "\"dc008d9c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Privileged custom role created for your subscription in a suspicious way (Preview)", "description": "THIS IS A SAMPLE ALERT: Azure Defender for Resource Manager detected a suspicious creation of privileged custom role definition in your subscription. This operation might have been performed by a legitimate user in your organization. Alternatively, it might indicate that an account in your organization was breached, and that the threat actor is trying to create a privileged role to use in the future to evade detection.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:12.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:12.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.3477021Z", "createdTimeUtc": "2021-06-02T16:24:44.3477021Z", "incidentNumber": 96, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PrivilegeEscalation", "DefenseEvasion" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/7b0a7201-58c6-4772-ad28-dc438002ead0" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/589ec8b4-24c7-421c-a58a-3b3e5bdf07fc", "name": "589ec8b4-24c7-421c-a58a-3b3e5bdf07fc", "etag": "\"dc00909c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Suspected successful brute force attack", "description": "THIS IS A SAMPLE ALERT: A successful login occurred after an apparent brute force attack on your resource", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:22.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:22.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.4962513Z", "createdTimeUtc": "2021-06-02T16:24:44.4962513Z", "incidentNumber": 97, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/589ec8b4-24c7-421c-a58a-3b3e5bdf07fc" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/052e98cf-d817-44f2-a1b9-93a49552d0f1", "name": "052e98cf-d817-44f2-a1b9-93a49552d0f1", "etag": "\"dc00929c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Possible data exfiltration via DNS tunnel (Preview)", "description": "THIS IS A SAMPLE ALERT: Analysis of DNS transactions from %{CompromisedEntity} detected a possible DNS tunnel. Such activity, while possibly legitimate user behaviour, is frequently performed by attackers to evade network monitoring and filtering. Typical related attacker activity is likely to include the download and execution of malicious software or remote administration tools.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:40.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:40.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.5429472Z", "createdTimeUtc": "2021-06-02T16:24:44.5429472Z", "incidentNumber": 98, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/052e98cf-d817-44f2-a1b9-93a49552d0f1" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/45b85643-5b3c-4acb-83a7-0aa8ad09aaaf", "name": "45b85643-5b3c-4acb-83a7-0aa8ad09aaaf", "etag": "\"dc00939c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Unusual change of access permissions in a storage account", "description": "THIS IS A SAMPLE ALERT: Someone has performed an unusual change of access permissions of a container in your Azure storage account 'Sample-Storage'.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:06.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:06.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.5578223Z", "createdTimeUtc": "2021-06-02T16:24:44.5578223Z", "incidentNumber": 99, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Persistence" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/45b85643-5b3c-4acb-83a7-0aa8ad09aaaf" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/082a7334-4d98-469f-9800-3cf73444cc80", "name": "082a7334-4d98-469f-9800-3cf73444cc80", "etag": "\"dc00949c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Digital currency mining container detected", "description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected a container that has an image associated with a digital currency mining tool.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:26.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:26.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.5631646Z", "createdTimeUtc": "2021-06-02T16:24:44.5631646Z", "incidentNumber": 100, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/082a7334-4d98-469f-9800-3cf73444cc80" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/7dafa083-926d-48a4-841c-17056fd620d1", "name": "7dafa083-926d-48a4-841c-17056fd620d1", "etag": "\"dc00979c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Potential SQL Brute Force attempt", "description": "THIS IS A SAMPLE ALERT: Someone is attempting to brute force credentials to your SQL server 'Sample-SQL'.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:18.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:18.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.8098207Z", "createdTimeUtc": "2021-06-02T16:24:44.8098207Z", "incidentNumber": 101, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/7dafa083-926d-48a4-841c-17056fd620d1" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/62080dae-9b31-4279-b333-981e45d24d90", "name": "62080dae-9b31-4279-b333-981e45d24d90", "etag": "\"dc00989c-0000-0100-0000-60b7b0cc0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Antimalware real-time protection was disabled in your virtual machine (Preview)", "description": "THIS IS A SAMPLE ALERT: Real-time protection disablement of the antimalware extension was detected in your virtual machine by analyzing the Azure Resource Manager operations in your subscription.\nAttackers might disable real-time protection from the antimalware scan on your virtual machine to avoid detection while running arbitrary code or infecting the machine with malware.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:46.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:46.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.8218463Z", "createdTimeUtc": "2021-06-02T16:24:44.8218463Z", "incidentNumber": 102, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "DefenseEvasion" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/62080dae-9b31-4279-b333-981e45d24d90" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/d8bb9fcc-4772-4dea-9839-1da4a0e27849", "name": "d8bb9fcc-4772-4dea-9839-1da4a0e27849", "etag": "\"dc00a79c-0000-0100-0000-60b7b0cd0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Potential SQL Injection", "description": "THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database Sample-DB on server Sample-VM", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:20.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:20.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:45.4702162Z", "createdTimeUtc": "2021-06-02T16:24:45.4702162Z", "incidentNumber": 103, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/d8bb9fcc-4772-4dea-9839-1da4a0e27849" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/584965f8-acd1-4c7a-ae8d-00151ffb703b", "name": "584965f8-acd1-4c7a-ae8d-00151ffb703b", "etag": "\"dc00aa9c-0000-0100-0000-60b7b0cd0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Attempted logon by a potentially harmful application", "description": "THIS IS A SAMPLE ALERT: A potentially harmful application attempted to access your resource.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:18.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:18.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:44.4977539Z", "createdTimeUtc": "2021-06-02T16:24:44.4977539Z", "incidentNumber": 104, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "PreAttack" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/584965f8-acd1-4c7a-ae8d-00151ffb703b" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/669fbc8b-6807-4158-889f-0a81012ae12b", "name": "669fbc8b-6807-4158-889f-0a81012ae12b", "etag": "\"dc00af9c-0000-0100-0000-60b7b0cd0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Phishing content hosted on Azure Webapps", "description": "THIS IS A SAMPLE ALERT: URL used for phishing attack found on the Azure AppServices website. This URL was part of a phishing attack sent to O365 customers. The content typically lure visitors into entering their corporate credentials or financial information into a legitimate looking website.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:36.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:36.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:45.9521621Z", "createdTimeUtc": "2021-06-02T16:24:45.9521621Z", "incidentNumber": 105, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Collection" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/669fbc8b-6807-4158-889f-0a81012ae12b" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3c897c61-3b5d-4ffe-9752-11f95824d994", "name": "3c897c61-3b5d-4ffe-9752-11f95824d994", "etag": "\"dc00b79c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Unusual export location", "description": "THIS IS A SAMPLE ALERT: Someone has extracted a massive amount of data from your SQL Server 'Sample-SQL' to an unusual location.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:10.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:10.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.1724078Z", "createdTimeUtc": "2021-06-02T16:24:46.1724078Z", "incidentNumber": 106, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Exfiltration" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/3c897c61-3b5d-4ffe-9752-11f95824d994" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/04b26cf2-9b9e-41b3-ab0b-a044537fed79", "name": "04b26cf2-9b9e-41b3-ab0b-a044537fed79", "etag": "\"dc00b89c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Digital currency mining related behavior detected", "description": "THIS IS A SAMPLE ALERT: Analysis of host data on Sample-VM detected the execution of a process or command normally associated with digital currency mining.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:58.2347217Z", "lastActivityTimeUtc": "2021-06-02T16:23:58.2347217Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.1952601Z", "createdTimeUtc": "2021-06-02T16:24:46.1952601Z", "incidentNumber": 107, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/04b26cf2-9b9e-41b3-ab0b-a044537fed79" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/49775a10-67fa-481d-a7a0-f261d17f5312", "name": "49775a10-67fa-481d-a7a0-f261d17f5312", "etag": "\"dc00b99c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] AKS API requests from proxy IP address detected", "description": "THIS IS A SAMPLE ALERT: Kubernetes audit log analysis detected API requests to your cluster from an IP address that is associated with proxy services, such as TOR.\r\nWhile this behavior can be legitimate, it's often seen in malicious activities, when attackers try to hide their source IP.", "severity": "Low", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:30.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:30.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.2244375Z", "createdTimeUtc": "2021-06-02T16:24:46.2244375Z", "incidentNumber": 108, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Execution" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/49775a10-67fa-481d-a7a0-f261d17f5312" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/f663671c-889f-43e9-915e-793c36f52802", "name": "f663671c-889f-43e9-915e-793c36f52802", "etag": "\"dc00ba9c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] MicroBurst exploitation toolkit used to extract keys to your storage accounts (Preview)", "description": "THIS IS A SAMPLE ALERT: MicroBurst's exploitation toolkit was used to extract keys to your storage accounts. This was detected by analyzing Azure Activity logs and resource management operations in your subscription.", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:48.2190765Z", "lastActivityTimeUtc": "2021-06-02T16:23:48.2190765Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.2907196Z", "createdTimeUtc": "2021-06-02T16:24:46.2907196Z", "incidentNumber": 109, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "Collection" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/f663671c-889f-43e9-915e-793c36f52802" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/cb19b093-2a21-4756-9892-aef2f396490a", "name": "cb19b093-2a21-4756-9892-aef2f396490a", "etag": "\"dc00bb9c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Kubernetes events deleted", "description": "THIS IS A SAMPLE ALERT: Security Center detected that some Kubernetes events have been deleted. Kubernetes events are objects in Kubernetes which contain information about changes in the cluster. Attackers might delete those events for hiding their operations in the cluster.", "severity": "Medium", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:23:28.203495Z", "lastActivityTimeUtc": "2021-06-02T16:23:28.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.3217691Z", "createdTimeUtc": "2021-06-02T16:24:46.3217691Z", "incidentNumber": 110, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [ "DefenseEvasion" ] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/cb19b093-2a21-4756-9892-aef2f396490a" } }, { "id": "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/361d5e98-2c77-4957-a36f-8556e46d2373", "name": "361d5e98-2c77-4957-a36f-8556e46d2373", "etag": "\"dc00c29c-0000-0100-0000-60b7b0ce0000\"", "type": "Microsoft.SecurityInsights/Incidents", "properties": { "title": "[SAMPLE ALERT] Potential SQL Injection", "description": "THIS IS A SAMPLE ALERT: Potential SQL Injection was detected on your database elitronix-com on server Sample-SQL", "severity": "High", "status": "New", "owner": { "objectId": null, "email": null, "assignedTo": null, "userPrincipalName": null }, "labels": [], "firstActivityTimeUtc": "2021-06-02T16:24:14.203495Z", "lastActivityTimeUtc": "2021-06-02T16:24:14.203495Z", "lastModifiedTimeUtc": "2021-06-02T16:24:46.6313637Z", "createdTimeUtc": "2021-06-02T16:24:46.6313637Z", "incidentNumber": 111, "additionalData": { "alertsCount": 1, "bookmarksCount": 0, "commentsCount": 0, "alertProductNames": [ "Azure Security Center" ], "tactics": [] }, "relatedAnalyticRuleIds": [ "/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/alertRules/42ae9c72-0f95-4c97-b26c-5e270b45950e" ], "incidentUrl": "https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/Incidents/361d5e98-2c77-4957-a36f-8556e46d2373" } } ], "nextLink": "https://management.azure.com:443/subscriptions/78eb5ca4-4bb7-4659-8ee4-ee0090ae7e9a/resourceGroups//providers/Microsoft.OperationalInsights/workspaces/-workspace/providers/Microsoft.SecurityInsights/incidents?api-version=2020-01-01&$filter=properties/lastModifiedTimeUtc ge 2021-05-31T00:00:00.123Z and properties/status ne 'Closed'&$orderby=properties/lastModifiedTimeUtc asc&$top=40&$skipToken=H4sIAAAAAAAACk1QTW-CQBT8L8vRJoCySDfxMMsugtTyISWBpgfb2EUtGGqNtsb-9q4X08N7eV8z8zLPZ_K12646wsggjwT79ey3LR6eflzH5aPCAcAzcZxMjLxgtlHkPnMsXQsWprNZGxf2oe4_OO-m34-LhM_DOhgdwgQaEC1KNjQimTCXUmobmR-wsRGkPoPaUE2MTFhAerxqIM2AgQ5I3OvcIpm-mhXGqozgpaYZ2gd0lRyqYJnGEUzlzzVMIQ6BspK7JhpioG74BYTU3M2hf5SJCVmrUPdZtlbp_qY3VaIR-yqMHbxvmuv9scngoXfKHKhgVW3d_PsPyj_12gtyRz6XnVoRdibt-uqdRX1bUi44ldySet8uT7ex4A73qeeSy-XlD6hpY2dwAQAA" }