Hello,
We used MS Graph API to retrieve security alerts from our test environment. Some alerts have full details, while some of them doesn't provide any detail information (host, source IP, user, infected file...).
The same behavior is through REST API in Postman and C# wrapper.
Do you have any advise if it's e.g. a permission or some additional settings issue or it's the API bug?
Example of missing data:
{
"cloudAppStates": [],
"status": "newAlert",
"azureTenantId": "5ccdaf49-e634-479f-b8e6-_",
"feedback": null,
"confidence": null,
"id": "da636995025372880197_512683892",
"title": "'EICAR_Test_File' malware was detected",
"eventDateTime": "2019-07-23T18:14:23.4324294+00:00",
"processes": [],
"sourceMaterials": [
"https://securitycenter.microsoft.com/alert/da636995025372880197_512683892"
],
"vendorInformation": {
"providerVersion": null,
"subProvider": "WindowsDefenderAtp",
"provider": "WDATP",
"vendor": "Microsoft"
},
"detectionIds": [],
"azureSubscriptionId": null,
"vulnerabilityStates": [],
"lastModifiedDateTime": "2019-07-23T18:22:28.3566667+00:00",
"description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
"fileStates": [],
"createdDateTime": "2019-07-23T18:15:37.1941339+00:00",
"closedDateTime": null,
"category": "Malware",
"comments": [],
"userStates": [],
"hostStates": [],
"@version": "1",
"assignedTo": null,
"registryKeyStates": [],
"historyStates": [],
"recommendedActions": [],
"severity": "informational",
"tags": [
"_mutate_error"
],
"triggers": [],
"riskScore": null,
"malwareStates": [],
"networkConnections": [],
"activityGroupName": null
}
At this case it was defender.
However we have the same from ACS 3.0 source, e.g. a category AntimalwareActionTaken have full details, while category AdaptiveNetworkHardeningInbound have just title about suspected IP and no detail at all. See examples:
correct result:
{
"id": "2518383947429999999_7c2565ed-75f6-4bee-84ee-c68c928c0c97",
"azureTenantId": "5ccdaf49-e634-479f-b8e6-*",
"azureSubscriptionId": "2444cc2b-23e9-4750-956f-*",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "AntimalwareActionTaken",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2019-07-23T18:31:28.261Z",
"description": "Microsoft Antimalware has taken an action to protect this machine from malware or other potentially unwanted software.",
"detectionIds": [],
"eventDateTime": "2019-07-23T18:20:57Z",
"feedback": null,
"lastModifiedDateTime": "2019-07-23T18:31:31.0405919Z",
"recommendedActions": [
"No user action is necessary"
],
"severity": "low",
"sourceMaterials": [
"https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Virus:DOS/EICAR_Test_File"
],
"status": "newAlert",
"title": "Antimalware Action Taken",
"vendorInformation": {
"provider": "ASC",
"providerVersion": "3.0",
"subProvider": null,
"vendor": "Microsoft"
},
"cloudAppStates": [],
"fileStates": [
{
"name": "967664227.bat",
"path": "c:\\temp\\eicar\\967664227.bat",
"riskScore": "0",
"fileHash": null
}
],
"hostStates": [
{
"fqdn": "demo....com",
"isAzureAdJoined": null,
"isAzureAdRegistered": null,
"isHybridAzureDomainJoined": null,
"netBiosName": null,
"os": null,
"privateIpAddress": null,
"publicIpAddress": null,
"riskScore": "0"
}
],
"historyStates": [],
"malwareStates": [
{
"category": "Virus",
"family": null,
"name": "Virus:DOS/EICAR_Test_File",
"severity": null,
"wasRunning": null
}
],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"triggers": [],
"userStates": [],
"vulnerabilityStates": []
},
no data:
{
"id": "2518385219999999999_fec0f737-1f01-4cf6-8cc5-2c4c812e25df",
"azureTenantId": "5ccdaf49-e634-479f-b8e6-*",
"azureSubscriptionId": "2444cc2b-23e9-4750-956f-*",
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "AdaptiveNetworkHardeningInbound",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2019-07-23T06:01:09.4191821Z",
"description": "Azure security center has detected incoming traffic from IP addresses, which have been identified as IP addresses that should be blocked by the Adaptive Network Hardening control",
"detectionIds": [],
"eventDateTime": "2019-07-22T07:00:00Z",
"feedback": null,
"lastModifiedDateTime": "2019-07-23T06:01:47.0272371Z",
"recommendedActions": [
"1. Review the IP addresses and determine if they should be communicating with the virtual machine",
"2. Enforce the hardening rule recommended by Security Center which will allow access only to recommended IP addresses. You can edit the rule's properties and change the IP addresses to be allowed, or alternatively edit the Network Security Group's rules directly"
],
"severity": "low",
"sourceMaterials": [],
"status": "newAlert",
"title": "Traffic from unrecommended IP addresses was detected",
"vendorInformation": {
"provider": "ASC",
"providerVersion": "3.0",
"subProvider": null,
"vendor": "Microsoft"
},
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"malwareStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"triggers": [],
"userStates": [],
"vulnerabilityStates": []
},
Thanks and regards,
Roman