openapi-directory

Version:

Building & bundling https://github.com/APIs-guru/openapi-directory for easy use from JS

github.com/httptoolkit/openapi-directory-js

1 lines • 55.4 kB

JSON

{"openapi":"3.0.0","info":{"description":"API spec for Microsoft.Security (Azure Security Center) resource provider","title":"Security Center","version":"2019-01-01","x-apisguru-categories":["cloud"],"x-logo":{"url":"https://assets.onestore.ms/cdnfiles/onestorerolling-1606-01000/shell/v3/images/logo/microsoft.png"},"x-origin":[{"format":"swagger","url":"https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/specification/security/resource-manager/Microsoft.Security/stable/2019-01-01/alerts.json","version":"2.0"}],"x-preferred":true,"x-providerName":"azure.com","x-serviceName":"security-alerts","x-tags":["Azure","Microsoft"]},"security":[{"azure_auth":["user_impersonation"]}],"paths":{"/subscriptions/{subscriptionId}/providers/Microsoft.Security/alerts":{"get":{"description":"List all the alerts that are associated with the subscription","operationId":"Alerts_List","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alerts on a subscription":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alerts on a subscription":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"$ref":"#/components/parameters/ODataFilter"},{"$ref":"#/components/parameters/ODataSelect"},{"$ref":"#/components/parameters/ODataExpand"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertList"},"examples":{"Get security alerts on a subscription":{"$ref":"#/components/examples/Get_security_alerts_on_a_subscription"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts":{"get":{"description":"List all the alerts that are associated with the subscription that are stored in a specific location","operationId":"Alerts_ListSubscriptionLevelAlertsByRegion","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alerts on a subscription from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alerts on a subscription from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Get security alerts on a subscription from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/ODataFilter"},{"$ref":"#/components/parameters/ODataSelect"},{"$ref":"#/components/parameters/ODataExpand"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertList"},"examples":{"Get security alerts on a subscription from a security data location":{"$ref":"#/components/examples/Get_security_alerts_on_a_subscription_from_a_security_data_location"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}":{"get":{"description":"Get an alert that is associated with a subscription","operationId":"Alerts_GetSubscriptionLevelAlert","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alert on a subscription from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alert on a subscription from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Get security alert on a subscription from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Alert"},"examples":{"Get security alert on a subscription from a security data location":{"$ref":"#/components/examples/Get_security_alert_on_a_subscription_from_a_security_data_location"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}},"/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss":{"post":{"description":"Update the alert's state","operationId":"Alerts_UpdateSubscriptionLevelAlertStateToDismiss","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"}],"responses":{"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}},"/subscriptions/{subscriptionId}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate":{"post":{"description":"Update the alert's state","operationId":"Alerts_UpdateSubscriptionLevelAlertStateToReactivate","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Update security alert state on a subscription from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"}],"responses":{"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/alerts":{"get":{"description":"List all the alerts that are associated with the resource group","operationId":"Alerts_ListByResourceGroup","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alerts on a resource group":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alerts on a resource group":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\$\$]+$"},"examples":{"Get security alerts on a resource group":{"value":"myRg1"}}},{"$ref":"#/components/parameters/ODataFilter"},{"$ref":"#/components/parameters/ODataSelect"},{"$ref":"#/components/parameters/ODataExpand"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertList"},"examples":{"Get security alerts on a resource group":{"$ref":"#/components/examples/Get_security_alerts_on_a_resource_group"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts":{"get":{"description":"List all the alerts that are associated with the resource group that are stored in a specific location","operationId":"Alerts_ListResourceGroupLevelAlertsByRegion","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alerts on a resource group from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alerts on a resource group from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Get security alerts on a resource group from a security data location":{"value":"westeurope"}}},{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\$\$]+$"},"examples":{"Get security alerts on a resource group from a security data location":{"value":"myRg1"}}},{"$ref":"#/components/parameters/ODataFilter"},{"$ref":"#/components/parameters/ODataSelect"},{"$ref":"#/components/parameters/ODataExpand"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AlertList"},"examples":{"Get security alerts on a resource group from a security data location":{"$ref":"#/components/examples/Get_security_alerts_on_a_resource_group_from_a_security_data_location"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"],"x-ms-pageable":{"nextLinkName":"nextLink"}}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}":{"get":{"description":"Get an alert that is associated a resource group or a resource in a resource group","operationId":"Alerts_GetResourceGroupLevelAlerts","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Get security alert on a resource group from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Get security alert on a resource group from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Get security alert on a resource group from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"},{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\$\$]+$"},"examples":{"Get security alert on a resource group from a security data location":{"value":"myRg1"}}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Alert"},"examples":{"Get security alert on a resource group from a security data location":{"$ref":"#/components/examples/Get_security_alert_on_a_resource_group_from_a_security_data_location"}}}}},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/dismiss":{"post":{"description":"Update the alert's state","operationId":"Alerts_UpdateResourceGroupLevelAlertStateToDismiss","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"},{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\$\$]+$"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"myRg2"}}}],"responses":{"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}},"/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/alerts/{alertName}/reactivate":{"post":{"description":"Update the alert's state","operationId":"Alerts_UpdateResourceGroupLevelAlertStateToReactivate","parameters":[{"description":"API version for the operation","in":"query","name":"api-version","required":true,"schema":{"type":"string"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"2019-01-01"}}},{"description":"Azure subscription ID","in":"path","name":"subscriptionId","required":true,"schema":{"type":"string","pattern":"^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"20ff7fc3-e762-44dd-bd96-b71116dcdc23"}}},{"description":"The location where ASC stores the data of the subscription. can be retrieved from Get locations","in":"path","name":"ascLocation","required":true,"x-ms-parameter-location":"client","schema":{"type":"string"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"westeurope"}}},{"$ref":"#/components/parameters/AlertName"},{"description":"The name of the resource group within the user's subscription. The name is case insensitive.","in":"path","name":"resourceGroupName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string","minLength":1,"maxLength":90,"pattern":"^[-\\w\\._\$\$]+$"},"examples":{"Update security alert state on a resource group from a security data location":{"value":"myRg2"}}}],"responses":{"204":{"description":"No Content"},"default":{"description":"Error response describing why the operation failed.","content":{"application/json":{"schema":{"description":"Error response structure.","properties":{"error":{"description":"Error details.","properties":{"code":{"description":"An identifier for the error. Codes are invariant and are intended to be consumed programmatically.","readOnly":true,"type":"string"},"message":{"description":"A message describing the error, intended to be suitable for display in a user interface.","readOnly":true,"type":"string"}},"type":"object","x-ms-external":true}},"type":"object","x-ms-external":true}}}}},"tags":["Alerts"]}}},"servers":[{"url":"https://management.azure.com"}],"components":{"examples":{"Get_security_alerts_on_a_subscription":{"value":{"value":[{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"},{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22","name":"2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22","properties":{"actionTaken":"Detected","alertDisplayName":"Suspicious Screensaver process executed","alertName":"SuspiciousScreenSaver","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2","canBeInvestigated":true,"compromisedEntity":"vm2","confidenceReasons":[{"reason":"Suspicious process execution history for this subscription","type":"Process"},{"reason":"Suspicious process execution history for this subscription","type":"Process"},{"reason":"cmd.exe appeared in multiple alerts of the same type","type":"Process"}],"confidenceScore":0.3,"correlationKey":"4hnro6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s96++","description":"The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.","detectedTimeUtc":"2018-05-07T13:51:45.0045913Z","entities":[{"azureID":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2","dnsDomain":"","hostName":"vm2","netBiosName":"vm2","ntDomain":"","omsAgentID":"45b44640-3b94-4892-a28c-4a5cae27065a","operatingSystem":"Unknown","type":"host"},{"logonId":"0x61450d87","name":"contosoUser","ntDomain":"vm2","sid":"S-1-5-21-2144575486-8928446540-5163864319-500","type":"account"},{"directory":"c:\\windows\\system32","name":"cmd.exe","type":"file"},{"directory":"c:\\users\\contosoUser","name":"scrsave.scr","type":"file"},{"commandLine":"c:\\users\\contosoUser\\scrsave.scr","creationTimeUtc":"2018-05-07T13:51:45.0045913Z","processId":"0x4aec","type":"process"}],"extendedProperties":{"account logon id":"0x61450d87","command line":"c:\\users\\contosoUser\\scrsave.scr","domain name":"vm2","enrichment_tas_threat__reports":"{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}","parent process":"cmd.exe","parent process id":"0x3c44","process id":"0x4aec","process name":"c:\\users\\contosoUser\\scrsave.scr","resourceType":"Virtual Machine","user SID":"S-1-5-21-2144575486-8928446540-5163864319-500","user name":"vm2\\contosoUser"},"instanceId":"2325cf9e-42a2-4f72-ae7f-9b863cba2d22","remediationSteps":"1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team","reportedSeverity":"Low","reportedTimeUtc":"2018-05-07T13:51:48.3810457Z","state":"Active","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","systemSource":"Azure","vendorName":"Microsoft","workspaceArmId":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu"},"type":"Microsoft.Security/Locations/alerts"}]}},"Get_security_alerts_on_a_subscription_from_a_security_data_location":{"value":{"value":[{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"},{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg2/providers/Microsoft.Security/locations/westeurope/alerts/2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22","name":"2518765996949954086_2325cf9e-42a2-4f72-ae7f-9b863cba2d22","properties":{"actionTaken":"Detected","alertDisplayName":"Suspicious Screensaver process executed","alertName":"SuspiciousScreenSaver","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2","canBeInvestigated":true,"compromisedEntity":"vm2","confidenceReasons":[{"reason":"Suspicious process execution history for this subscription","type":"Process"},{"reason":"Suspicious process execution history for this subscription","type":"Process"},{"reason":"cmd.exe appeared in multiple alerts of the same type","type":"Process"}],"confidenceScore":0.3,"correlationKey":"4hno6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0srk4","description":"The process ‘%{process name}’ was observed executing from an uncommon location.\r\n\r\nFiles with the .scr extensions are screen saver files and are normally reside and execute from the Windows system directory.","detectedTimeUtc":"2018-05-07T13:51:45.0045913Z","entities":[{"azureID":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/myRg2/providers/microsoft.compute/virtualmachines/vm2","dnsDomain":"","hostName":"vm2","netBiosName":"vm2","ntDomain":"","omsAgentID":"45b44640-3b94-4892-a28c-4a5cae27065a","operatingSystem":"Unknown","type":"host"},{"logonId":"0x61450d87","name":"contosoUser","ntDomain":"vm2","sid":"S-1-5-21-2144575486-8928446540-5163864319-500","type":"account"},{"directory":"c:\\windows\\system32","name":"cmd.exe","type":"file"},{"processId":"0x3c44","type":"process"},{"directory":"c:\\users\\contosoUser","name":"scrsave.scr","type":"file"},{"commandLine":"c:\\users\\contosoUser\\scrsave.scr","creationTimeUtc":"2018-05-07T13:51:45.0045913Z","processId":"0x4aec","type":"process"}],"extendedProperties":{"account logon id":"0x61450d87","command line":"c:\\users\\contosoUser\\scrsave.scr","domain name":"vm2","enrichment_tas_threat__reports":"{\"Kind\":\"MultiLink\",\"DisplayValueToUrlDictionary\":{\"Report: Suspicious Screen Saver Execution\":\"https://iflowreportsproda.blob.core.windows.net/reports/MSTI-TS-Suspicious-Screen-Saver-Execution.pdf?sv=2016-05-31&sr=b&sig=2igHPl764UM7aBHNaO9mPAnpzoXlwRw8YjpFLLuB2NE%3D&spr=https&st=2018-05-07T00%3A20%3A54Z&se=2018-05-08T00%3A35%3A54Z&sp=r\"}}","parent process":"cmd.exe","parent process id":"0x3c44","process id":"0x4aec","process name":"c:\\users\\contosoUser\\scrsave.scr","resourceType":"Virtual Machine","user SID":"S-1-5-21-2144575486-8928446540-5163864319-500","user name":"vm2\\contosoUser"},"instanceId":"2325cf9e-42a2-4f72-ae7f-9b863cba2d22","remediationSteps":"1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)\r\n2. Make sure the machine is completely updated and has an updated anti-malware application installed\r\n3. Run a full anti-malware scan and verify that the threat was removed\r\n4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)\r\n5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)\r\n6. Escalate the alert to the information security team","reportedSeverity":"Low","reportedTimeUtc":"2018-05-07T13:51:48.3810457Z","state":"Active","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","systemSource":"Azure","vendorName":"Microsoft","workspaceArmId":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourcegroups/defaultresourcegroup-weu/providers/microsoft.operationalinsights/workspaces/defaultworkspace-21ff7fc3-e762-48dd-bd96-b551f6dcdd23-weu"},"type":"Microsoft.Security/Locations/alerts"}]}},"Get_security_alert_on_a_subscription_from_a_security_data_location":{"value":{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"}},"Get_security_alerts_on_a_resource_group":{"value":{"value":[{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"}]}},"Get_security_alerts_on_a_resource_group_from_a_security_data_location":{"value":{"value":[{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"}]}},"Get_security_alert_on_a_resource_group_from_a_security_data_location":{"value":{"id":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/alerts/2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","name":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA","properties":{"actionTaken":"Detected","alertDisplayName":"Threat Intelligence Alert","alertName":"ThreatIntelligence","associatedResource":"/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1","canBeInvestigated":true,"compromisedEntity":"vm1","confidenceReasons":[{"reason":"Some user reason","type":"User"},{"reason":"Some proccess reason","type":"Process"},{"reason":"Some computer reason","type":"Computer"}],"confidenceScore":0.8,"correlationKey":"Rkso6LFWxzCll5tqrk4hnrBJ+MY1BX806W6q6+0s9Jk=","description":"Process was detected running on the host and is considered to be suspicious, verify that the user run it","detectedTimeUtc":"2018-05-01T19:50:47.083633Z","entities":[{"address":"192.0.2.1","location":{"asn":6584,"city":"sonning","countryCode":"gb","latitude":51.468,"longitude":-0.909,"state":"wokingham"},"threatIntelligence":[{"confidence":0.8,"providerName":"Team Cymru","reportLink":"http://www.microsoft.com","threatDescription":"In bot armies, the controller is the server machine(s) that gives instructions to the controlled (zombied) hosts that connect to the command and control (C2) network. The controller host is usually running a botnet management application that is sending the commands to the zombied members of the bot army. These commands include, but are not limited to, the following: updating bitcoin wallet information, distributed denial-of-service (DDoS) target listings, updated C2 communication contact lists, and targeting data. C2 servers may be either directly controlled by the malware operators or run on hardware compromised by malware. There are multiple techniques for dynamically changing the control servers so that they are not isolated and brought down. Control servers utilize two general architectures: client-server and peer-to-peer. In a client-server model, all the hosts are controlled by a single server or a few control servers. In a peer-to-peer model, the infected hosts are both clients and servers, and they control other hosts so that instead of isolating the few control servers, all the hosts need to be removed.","threatName":"rarog","threatType":"C2"}],"type":"ip"}],"extendedProperties":{"attacker IP":"192.0.2.1","domain Name":"Contoso","resourceType":"Virtual Machine","user Name":"administrator"},"instanceId":"f144ee95-a3e5-42da-a279-967d115809aa","isIncident":false,"remediationSteps":"verify that the user invoked this process\r\nrun antimalware scan of the VM","reportedSeverity":"High","reportedTimeUtc":"2018-05-02T05:36:12.2089889Z","state":"Dismissed","subscriptionId":"20ff7fc3-e762-44dd-bd96-b71116dcdc23","vendorName":"Microsoft"},"type":"Microsoft.Security/Locations/alerts"}}},"parameters":{"AlertName":{"description":"Name of the alert object","in":"path","name":"alertName","required":true,"x-ms-parameter-location":"method","schema":{"type":"string"},"examples":{"Get security alert on a subscription from a security data location":{"value":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"},"Update security alert state on a subscription from a security data location":{"value":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"},"Get security alert on a resource group from a security data location":{"value":"2518770965529163669_F144EE95-A3E5-42DA-A279-967D115809AA"},"Update security alert state on a resource group from a security data location":{"value":"2518765996949954